PDA

View Full Version : Vitumonde



Llama
2008-01-04, 07:50
Had this for a while now and is more of an annoyance than a problem. Anyway, from the procedure...

1) Kaspersky Online Scanner did not work with opera so I tried using IE like it said but then it couldnt load the webpage so I redownloaded IE then ran it again, the web-page loaded but the "accept" button wouldn't work even after setting all options in the security menu to "prompt" then clicking "yes" to allowing activeX controlls from the webpage. If im doing something wrong tell me and ill fix it

2) & 3) Running SpyBot-S&D while in safe mode (this also happens in normal startup), well, it gets about 1/2 way through then comes up with a "failed to load xxxx_xx.dll" for every entry that it didnt get to remove the displayes "error-out of ram" I had 1GB of my 1.5GB left at the time and spybot was only using 130ishMB

4) HJT-the thing that actually worked

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:04:04 p.m., on 4/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: {dfcd1620-1261-50ab-14b4-e8e2ccb3f302} - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - C:\WINDOWS\system32\sniifkxi.dll
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - C:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\byxyvut.dll (file missing)
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - C:\WINDOWS\system32\ijctcdso.dll
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: byxyvut - byxyvut.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7242 bytes

Cheers!

ken545
2008-01-04, 14:26
Hello
Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Your infected with the Vundo Trojan.


1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.


====================================================

Open Hijackthis to Scan Only, close all open windows including this one , place a checkmark in the following entries and click on Fix Checked.

O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: {dfcd1620-1261-50ab-14b4-e8e2ccb3f302} - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - C:\WINDOWS\system32\sniifkxi.dll
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - C:\WINDOWS\system32\mljjk.dll (file missing)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - C:\WINDOWS\system32\awvvt.dll (file missing)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - C:\WINDOWS\system32\byxyvut.dll (file missing)
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - C:\WINDOWS\system32\mljgg.dll (file missing)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - C:\WINDOWS\system32\jkhfd.dll
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - C:\WINDOWS\system32\ijctcdso.dll
O20 - Winlogon Notify: byxyvut - byxyvut.dll (file missing)


=============================================

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


=================================================

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


===============================================

The thieves that have written Vundo have written it to evade a HJT scan so we need to rename it

This is important, do this before you post a HJT log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass )and rename it to Safer.exe


I need to see the Vundo log, the Combofix log and a new HJT log renamed please

Llama
2008-01-05, 06:14
alrighty then, here are the logs:

HJT (renamed safer):

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:58 p.m., on 5/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Winamp\winamp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {BE4E0AAE-947C-4C6D-A58C-11531F18F615} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4814 bytes

================================

note that with the HJT there was no entry for:

O2 - BHO: {dfcd1620-1261-50ab-14b4-e8e2ccb3f302} - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - C:\WINDOWS\system32\sniifkxi.dll

that was in the original log so im going to assume that thats a good thing. Also that there were 3 more entires that wernt in the old log but I had told teatimer to block but then must've come back when I had to disable teatimer. They were
02-BHO: (no name)-{BE4EO... (I didnt record beyond there)
02-BHO: (no name)-{C4D3D...
02-BHO: {cleqf355... ...eayswvhm.dll

I told HJT to fix these also

Cheers!

Llama
2008-01-05, 06:15
VundoFix V6.7.7

Checking Java version...

Scan started at 2:27:03 p.m. 5/01/2008

Listing files found while scanning....

C:\WINDOWS\system32\aaknmvjq.dll
C:\WINDOWS\system32\adlsnobs.exe
C:\WINDOWS\system32\ahdwqato.dll
C:\WINDOWS\system32\ajonptpu.exe
C:\windows\system32\alhtvotv.exe
C:\WINDOWS\system32\awtsq.dll
C:\windows\system32\awtst.dll
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\axcuflob.ini
C:\WINDOWS\system32\bbsxcuij.dll
C:\windows\system32\becwkcjv.dll
C:\WINDOWS\system32\bolfucxa.dll
C:\WINDOWS\system32\bvdkmxth.dll
C:\WINDOWS\system32\bvqibiym.exe
C:\WINDOWS\system32\chglhuof.exe
C:\windows\system32\cwetqyra.exe
C:\WINDOWS\system32\cxokrsci.exe
C:\WINDOWS\system32\cyphjvsd.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayw.dll
C:\windows\system32\dfhkj.bak1
C:\windows\system32\dfhkj.bak2
C:\windows\system32\dfhkj.ini
C:\windows\system32\dmogiavb.exe
C:\windows\system32\dpqjsxib.exe
C:\windows\system32\dvlqgali.dll
C:\WINDOWS\system32\eayswvhm.dll
C:\WINDOWS\system32\elaxnhma.dll
C:\WINDOWS\system32\eyreuxfn.dll
C:\WINDOWS\system32\fasfeobe.dll
C:\windows\system32\fdjnrltd.exe
C:\WINDOWS\system32\fesbqxie.dll
C:\WINDOWS\system32\fklglesy.dll
C:\WINDOWS\system32\fsfcwhtx.exe
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\geeba.dll
C:\windows\system32\geqqsquo.exe
C:\WINDOWS\system32\gjbgxynq.dll
C:\windows\system32\gjifoxau.exe
C:\WINDOWS\system32\gqvrmqup.exe
C:\windows\system32\gykxqafx.dll
C:\WINDOWS\system32\hdhxgsfp.dll
C:\windows\system32\hfsdbvnc.exe
C:\WINDOWS\system32\hfuoneen.dll
C:\windows\system32\hlmkucft.exe
C:\windows\system32\hquvjuap.exe
C:\windows\system32\hrollkox.dll
C:\windows\system32\igpibhxt.exe
C:\WINDOWS\system32\igufkhxu.dll
C:\windows\system32\jjkmp.bak1
C:\windows\system32\jjkmp.bak2
C:\windows\system32\jjkmp.ini
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkhhhh.dll
C:\WINDOWS\system32\jmjefleo.dll
C:\windows\system32\jrodkada.dll
C:\WINDOWS\system32\jvgprrfc.dll
C:\windows\system32\kacrvcyg.exe
C:\WINDOWS\system32\katvejuw.dll
C:\WINDOWS\system32\kmimrcan.dll
C:\WINDOWS\system32\kqnrxlfd.dll
C:\windows\system32\krxrmntp.exe
C:\WINDOWS\system32\ktukoyuk.dll
C:\windows\system32\lacfywqk.exe
C:\windows\system32\lgwtldka.exe
C:\WINDOWS\system32\lkjjjqwd.dll
C:\windows\system32\lsobirnp.exe
C:\windows\system32\lweibfwf.dll
C:\WINDOWS\system32\lxglswgq.exe
C:\windows\system32\lypgbkip.dll
C:\windows\system32\mecdfdko.exe
C:\windows\system32\mfosuqis.exe
C:\windows\system32\mrykioey.exe
C:\windows\system32\naajkicb.exe
C:\WINDOWS\system32\nnnolji.dll
C:\WINDOWS\system32\nukbqfth.dll
C:\WINDOWS\system32\obwmknxi.dll
C:\WINDOWS\system32\oddwwhvn.exe
C:\windows\system32\oiitldsl.exe
C:\windows\system32\oitqnbnw.dll
C:\windows\system32\ojdoqvdx.exe
C:\windows\system32\olqtxsad.exe
C:\WINDOWS\system32\otaqwdha.ini
C:\windows\system32\ovgvfrss.exe
C:\WINDOWS\system32\pecmhkdc.dll
C:\windows\system32\pflsjqrh.exe
C:\WINDOWS\system32\pjpgaqqp.dll
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnyjecn.dll
C:\windows\system32\prjjbnuj.exe
C:\windows\system32\pvbsrogp.exe
C:\windows\system32\qbyhnxay.exe
C:\windows\system32\qirqllld.exe
C:\WINDOWS\system32\qjvmnkaa.ini
C:\WINDOWS\system32\qkwtvamq.dll
C:\windows\system32\qqstv.bak1
C:\windows\system32\qqstv.bak2
C:\windows\system32\qqstv.ini
C:\windows\system32\qstwa.bak1
C:\windows\system32\qstwa.ini
C:\WINDOWS\system32\qxbgyhrt.dll
C:\windows\system32\rdgoqilo.dll
C:\windows\system32\rhhgbaov.exe
C:\windows\system32\rnekbkav.exe
C:\windows\system32\rtkugord.exe
C:\WINDOWS\system32\rtvwa.bak1
C:\WINDOWS\system32\rtvwa.bak2
C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rvudfbln.dll
C:\windows\system32\rxqemcmh.dll
C:\WINDOWS\system32\ryyrcatv.dll
C:\WINDOWS\system32\sniifkxi.dll
C:\WINDOWS\system32\sscmyuhb.dll
C:\WINDOWS\system32\ssqrq.dll
C:\windows\system32\stbkhppd.dll
C:\windows\system32\stvwa.bak1
C:\windows\system32\stvwa.ini
C:\WINDOWS\system32\suhuhspi.dll
C:\WINDOWS\system32\svmnyjms.dll
C:\WINDOWS\system32\swjiftdp.dll
C:\windows\system32\tstwa.bak1
C:\windows\system32\tstwa.ini
C:\WINDOWS\system32\ttlavuqh.exe
C:\windows\system32\txdbbppg.dll
C:\WINDOWS\system32\uexeygti.exe
C:\WINDOWS\system32\ufqdiqog.dll
C:\WINDOWS\system32\unfjwvfd.dll
C:\WINDOWS\system32\uoxqpvtf.dll
C:\windows\system32\usqetaxl.exe
C:\windows\system32\vaculevs.dll
C:\WINDOWS\system32\vcowypym.dll
C:\WINDOWS\system32\vgxkbxgg.dll
C:\windows\system32\vieoegty.exe
C:\windows\system32\voumqsqp.dll
C:\WINDOWS\system32\vtsqq.dll
C:\windows\system32\vyxejewr.exe
C:\WINDOWS\system32\wigkbtry.dll
C:\WINDOWS\system32\wqfutprs.exe
C:\windows\system32\wrbcjmtt.exe
C:\WINDOWS\system32\wvuutts.dll
C:\windows\system32\wyilrbiv.exe
C:\windows\system32\xljkllom.exe
C:\windows\system32\xlwfaeiu.exe
C:\WINDOWS\system32\xthmfrms.dll
C:\WINDOWS\system32\yayxwxy.dll
C:\WINDOWS\system32\yjdxymxw.dll
C:\WINDOWS\system32\yjxrodkv.dll
C:\windows\system32\yrdomwof.exe
C:\WINDOWS\system32\ysitxjgt.dll
C:\windows\system32\yyfdfvip.exe

Beginning removal...

Attempting to delete C:\WINDOWS\system32\aaknmvjq.dll
C:\WINDOWS\system32\aaknmvjq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\adlsnobs.exe
C:\WINDOWS\system32\adlsnobs.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ahdwqato.dll
C:\WINDOWS\system32\ahdwqato.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ajonptpu.exe
C:\WINDOWS\system32\ajonptpu.exe Has been deleted!

Attempting to delete C:\windows\system32\alhtvotv.exe
C:\windows\system32\alhtvotv.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\awtsq.dll
C:\WINDOWS\system32\awtsq.dll Has been deleted!

Attempting to delete C:\windows\system32\awtst.dll
C:\windows\system32\awtst.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\system32\awvtr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\awvts.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\axcuflob.ini
C:\WINDOWS\system32\axcuflob.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\bbsxcuij.dll
C:\WINDOWS\system32\bbsxcuij.dll Has been deleted!

Attempting to delete C:\windows\system32\becwkcjv.dll
C:\windows\system32\becwkcjv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bolfucxa.dll
C:\WINDOWS\system32\bolfucxa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bvdkmxth.dll
C:\WINDOWS\system32\bvdkmxth.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bvqibiym.exe
C:\WINDOWS\system32\bvqibiym.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\chglhuof.exe
C:\WINDOWS\system32\chglhuof.exe Has been deleted!

Attempting to delete C:\windows\system32\cwetqyra.exe
C:\windows\system32\cwetqyra.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cxokrsci.exe
C:\WINDOWS\system32\cxokrsci.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\cyphjvsd.dll
C:\WINDOWS\system32\cyphjvsd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddayv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddayw.dll
C:\WINDOWS\system32\ddayw.dll Has been deleted!

Attempting to delete C:\windows\system32\dfhkj.bak1
C:\windows\system32\dfhkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\dfhkj.bak2
C:\windows\system32\dfhkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\dfhkj.ini
C:\windows\system32\dfhkj.ini Has been deleted!

Attempting to delete C:\windows\system32\dmogiavb.exe
C:\windows\system32\dmogiavb.exe Has been deleted!

Attempting to delete C:\windows\system32\dpqjsxib.exe
C:\windows\system32\dpqjsxib.exe Has been deleted!

Attempting to delete C:\windows\system32\dvlqgali.dll
C:\windows\system32\dvlqgali.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eayswvhm.dll
C:\WINDOWS\system32\eayswvhm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\elaxnhma.dll
C:\WINDOWS\system32\elaxnhma.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eyreuxfn.dll
C:\WINDOWS\system32\eyreuxfn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fasfeobe.dll
C:\WINDOWS\system32\fasfeobe.dll Has been deleted!

Attempting to delete C:\windows\system32\fdjnrltd.exe
C:\windows\system32\fdjnrltd.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\fesbqxie.dll
C:\WINDOWS\system32\fesbqxie.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fklglesy.dll
C:\WINDOWS\system32\fklglesy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fsfcwhtx.exe
C:\WINDOWS\system32\fsfcwhtx.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebcd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\geeba.dll
C:\WINDOWS\system32\geeba.dll Has been deleted!

Attempting to delete C:\windows\system32\geqqsquo.exe
C:\windows\system32\geqqsquo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjbgxynq.dll
C:\WINDOWS\system32\gjbgxynq.dll Has been deleted!

Attempting to delete C:\windows\system32\gjifoxau.exe
C:\windows\system32\gjifoxau.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\gqvrmqup.exe
C:\WINDOWS\system32\gqvrmqup.exe Has been deleted!

Attempting to delete C:\windows\system32\gykxqafx.dll
C:\windows\system32\gykxqafx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hdhxgsfp.dll
C:\WINDOWS\system32\hdhxgsfp.dll Has been deleted!

Attempting to delete C:\windows\system32\hfsdbvnc.exe
C:\windows\system32\hfsdbvnc.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\hfuoneen.dll
C:\WINDOWS\system32\hfuoneen.dll Has been deleted!

Attempting to delete C:\windows\system32\hlmkucft.exe
C:\windows\system32\hlmkucft.exe Has been deleted!

Attempting to delete C:\windows\system32\hquvjuap.exe
C:\windows\system32\hquvjuap.exe Has been deleted!

Attempting to delete C:\windows\system32\hrollkox.dll
C:\windows\system32\hrollkox.dll Has been deleted!

Attempting to delete C:\windows\system32\igpibhxt.exe
C:\windows\system32\igpibhxt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\igufkhxu.dll
C:\WINDOWS\system32\igufkhxu.dll Has been deleted!

Attempting to delete C:\windows\system32\jjkmp.bak1
C:\windows\system32\jjkmp.bak1 Has been deleted!

Attempting to delete C:\windows\system32\jjkmp.bak2
C:\windows\system32\jjkmp.bak2 Has been deleted!

Attempting to delete C:\windows\system32\jjkmp.ini
C:\windows\system32\jjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkhfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkhhhh.dll
C:\WINDOWS\system32\jkkhhhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jmjefleo.dll
C:\WINDOWS\system32\jmjefleo.dll Has been deleted!

Attempting to delete C:\windows\system32\jrodkada.dll
C:\windows\system32\jrodkada.dll Has been deleted!

Attempting to delete C:\windows\system32\kacrvcyg.exe
C:\windows\system32\kacrvcyg.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\katvejuw.dll
C:\WINDOWS\system32\katvejuw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kmimrcan.dll
C:\WINDOWS\system32\kmimrcan.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kqnrxlfd.dll
C:\WINDOWS\system32\kqnrxlfd.dll Has been deleted!

Attempting to delete C:\windows\system32\krxrmntp.exe
C:\windows\system32\krxrmntp.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ktukoyuk.dll
C:\WINDOWS\system32\ktukoyuk.dll Has been deleted!

Attempting to delete C:\windows\system32\lacfywqk.exe
C:\windows\system32\lacfywqk.exe Has been deleted!

Attempting to delete C:\windows\system32\lgwtldka.exe
C:\windows\system32\lgwtldka.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\lkjjjqwd.dll
C:\WINDOWS\system32\lkjjjqwd.dll Has been deleted!

Attempting to delete C:\windows\system32\lsobirnp.exe
C:\windows\system32\lsobirnp.exe Has been deleted!

Attempting to delete C:\windows\system32\lweibfwf.dll
C:\windows\system32\lweibfwf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lxglswgq.exe
C:\WINDOWS\system32\lxglswgq.exe Has been deleted!

Attempting to delete C:\windows\system32\lypgbkip.dll
C:\windows\system32\lypgbkip.dll Has been deleted!

Attempting to delete C:\windows\system32\mecdfdko.exe
C:\windows\system32\mecdfdko.exe Has been deleted!

Attempting to delete C:\windows\system32\mfosuqis.exe
C:\windows\system32\mfosuqis.exe Has been deleted!

Attempting to delete C:\windows\system32\mrykioey.exe
C:\windows\system32\mrykioey.exe Has been deleted!

Attempting to delete C:\windows\system32\naajkicb.exe
C:\windows\system32\naajkicb.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnolji.dll
C:\WINDOWS\system32\nnnolji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nukbqfth.dll
C:\WINDOWS\system32\nukbqfth.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\obwmknxi.dll
C:\WINDOWS\system32\obwmknxi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\oddwwhvn.exe
C:\WINDOWS\system32\oddwwhvn.exe Has been deleted!

Attempting to delete C:\windows\system32\oiitldsl.exe
C:\windows\system32\oiitldsl.exe Has been deleted!

Attempting to delete C:\windows\system32\oitqnbnw.dll
C:\windows\system32\oitqnbnw.dll Has been deleted!

Attempting to delete C:\windows\system32\ojdoqvdx.exe
C:\windows\system32\ojdoqvdx.exe Has been deleted!

Attempting to delete C:\windows\system32\olqtxsad.exe
C:\windows\system32\olqtxsad.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\otaqwdha.ini
C:\WINDOWS\system32\otaqwdha.ini Has been deleted!

Attempting to delete C:\windows\system32\ovgvfrss.exe
C:\windows\system32\ovgvfrss.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pecmhkdc.dll
C:\WINDOWS\system32\pecmhkdc.dll Has been deleted!

Attempting to delete C:\windows\system32\pflsjqrh.exe
C:\windows\system32\pflsjqrh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pjpgaqqp.dll
C:\WINDOWS\system32\pjpgaqqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnlj.dll
C:\WINDOWS\system32\pmnlj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnn.dll
C:\WINDOWS\system32\pmnnn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnno.dll
C:\WINDOWS\system32\pmnno.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnyjecn.dll
C:\WINDOWS\system32\pmnyjecn.dll Has been deleted!

Attempting to delete C:\windows\system32\prjjbnuj.exe
C:\windows\system32\prjjbnuj.exe Has been deleted!

Attempting to delete C:\windows\system32\pvbsrogp.exe
C:\windows\system32\pvbsrogp.exe Has been deleted!

Attempting to delete C:\windows\system32\qbyhnxay.exe
C:\windows\system32\qbyhnxay.exe Has been deleted!

Attempting to delete C:\windows\system32\qirqllld.exe
C:\windows\system32\qirqllld.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\qjvmnkaa.ini
C:\WINDOWS\system32\qjvmnkaa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qkwtvamq.dll
C:\WINDOWS\system32\qkwtvamq.dll Has been deleted!

Attempting to delete C:\windows\system32\qqstv.bak1
C:\windows\system32\qqstv.bak1 Has been deleted!

Attempting to delete C:\windows\system32\qqstv.bak2
C:\windows\system32\qqstv.bak2 Has been deleted!

Attempting to delete C:\windows\system32\qqstv.ini
C:\windows\system32\qqstv.ini Has been deleted!

Attempting to delete C:\windows\system32\qstwa.bak1
C:\windows\system32\qstwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\qstwa.ini
C:\windows\system32\qstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qxbgyhrt.dll
C:\WINDOWS\system32\qxbgyhrt.dll Has been deleted!

Attempting to delete C:\windows\system32\rdgoqilo.dll
C:\windows\system32\rdgoqilo.dll Has been deleted!

Attempting to delete C:\windows\system32\rhhgbaov.exe
C:\windows\system32\rhhgbaov.exe Has been deleted!

Attempting to delete C:\windows\system32\rnekbkav.exe
C:\windows\system32\rnekbkav.exe Has been deleted!

Attempting to delete C:\windows\system32\rtkugord.exe
C:\windows\system32\rtkugord.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtvwa.bak1
C:\WINDOWS\system32\rtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtvwa.bak2
C:\WINDOWS\system32\rtvwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtvwa.ini
C:\WINDOWS\system32\rtvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rvudfbln.dll
C:\WINDOWS\system32\rvudfbln.dll Has been deleted!

Attempting to delete C:\windows\system32\rxqemcmh.dll
C:\windows\system32\rxqemcmh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ryyrcatv.dll
C:\WINDOWS\system32\ryyrcatv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sniifkxi.dll
C:\WINDOWS\system32\sniifkxi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sscmyuhb.dll
C:\WINDOWS\system32\sscmyuhb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.dll Has been deleted!

Attempting to delete C:\windows\system32\stbkhppd.dll
C:\windows\system32\stbkhppd.dll Has been deleted!

Attempting to delete C:\windows\system32\stvwa.bak1
C:\windows\system32\stvwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\stvwa.ini
C:\windows\system32\stvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\suhuhspi.dll
C:\WINDOWS\system32\suhuhspi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\svmnyjms.dll
C:\WINDOWS\system32\svmnyjms.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\swjiftdp.dll
C:\WINDOWS\system32\swjiftdp.dll Has been deleted!

Attempting to delete C:\windows\system32\tstwa.bak1
C:\windows\system32\tstwa.bak1 Has been deleted!

Attempting to delete C:\windows\system32\tstwa.ini
C:\windows\system32\tstwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttlavuqh.exe
C:\WINDOWS\system32\ttlavuqh.exe Has been deleted!

Llama
2008-01-05, 06:17
Attempting to delete C:\windows\system32\txdbbppg.dll
C:\windows\system32\txdbbppg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uexeygti.exe
C:\WINDOWS\system32\uexeygti.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ufqdiqog.dll
C:\WINDOWS\system32\ufqdiqog.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\unfjwvfd.dll
C:\WINDOWS\system32\unfjwvfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uoxqpvtf.dll
C:\WINDOWS\system32\uoxqpvtf.dll Has been deleted!

Attempting to delete C:\windows\system32\usqetaxl.exe
C:\windows\system32\usqetaxl.exe Has been deleted!

Attempting to delete C:\windows\system32\vaculevs.dll
C:\windows\system32\vaculevs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vcowypym.dll
C:\WINDOWS\system32\vcowypym.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vgxkbxgg.dll
C:\WINDOWS\system32\vgxkbxgg.dll Has been deleted!

Attempting to delete C:\windows\system32\vieoegty.exe
C:\windows\system32\vieoegty.exe Has been deleted!

Attempting to delete C:\windows\system32\voumqsqp.dll
C:\windows\system32\voumqsqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqq.dll
C:\WINDOWS\system32\vtsqq.dll Has been deleted!

Attempting to delete C:\windows\system32\vyxejewr.exe
C:\windows\system32\vyxejewr.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wigkbtry.dll
C:\WINDOWS\system32\wigkbtry.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wqfutprs.exe
C:\WINDOWS\system32\wqfutprs.exe Has been deleted!

Attempting to delete C:\windows\system32\wrbcjmtt.exe
C:\windows\system32\wrbcjmtt.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuutts.dll
C:\WINDOWS\system32\wvuutts.dll Has been deleted!

Attempting to delete C:\windows\system32\wyilrbiv.exe
C:\windows\system32\wyilrbiv.exe Has been deleted!

Attempting to delete C:\windows\system32\xljkllom.exe
C:\windows\system32\xljkllom.exe Has been deleted!

Attempting to delete C:\windows\system32\xlwfaeiu.exe
C:\windows\system32\xlwfaeiu.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\xthmfrms.dll
C:\WINDOWS\system32\xthmfrms.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayxwxy.dll
C:\WINDOWS\system32\yayxwxy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yjdxymxw.dll
C:\WINDOWS\system32\yjdxymxw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yjxrodkv.dll
C:\WINDOWS\system32\yjxrodkv.dll Has been deleted!

Attempting to delete C:\windows\system32\yrdomwof.exe
C:\windows\system32\yrdomwof.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ysitxjgt.dll
C:\WINDOWS\system32\ysitxjgt.dll Has been deleted!

Attempting to delete C:\windows\system32\yyfdfvip.exe
C:\windows\system32\yyfdfvip.exe Has been deleted!

Performing Repairs to the registry.
Done!

Combo Fix:

ComboFix 08-01-04.1 - Joel Gibson 2008-01-05 15:16:12.1 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1153 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\aconti.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\abeeg.bak1
C:\WINDOWS\system32\abeeg.bak2
C:\WINDOWS\system32\abeeg.ini
C:\WINDOWS\system32\ajnbpxyl.ini
C:\WINDOWS\system32\alpfboli.ini
C:\WINDOWS\system32\anwvsmqn.dll
C:\WINDOWS\system32\aueklimu.ini
C:\WINDOWS\system32\bbadd.bak1
C:\WINDOWS\system32\bbadd.ini
C:\WINDOWS\system32\bemmthkf.ini
C:\WINDOWS\system32\bfxuyhhp.dll
C:\WINDOWS\system32\bkwgvrvx.ini
C:\WINDOWS\system32\bpxtejwl.ini
C:\WINDOWS\system32\bwslehht.ini
C:\WINDOWS\system32\ckcrcxex.ini
C:\WINDOWS\system32\cpxeumei.ini
C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.bak2
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\dewjjlxf.ini
C:\WINDOWS\system32\dgfxsyul.dll
C:\WINDOWS\system32\dlymnmii.ini
C:\WINDOWS\system32\drhvrkpm.dll
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\drivers\sfsync02.sys
C:\WINDOWS\system32\drtalrao.ini
C:\WINDOWS\system32\fvjfrqkt.dll
C:\WINDOWS\system32\gfytuphc.ini
C:\WINDOWS\system32\ggjlm.bak1
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ghhkj.bak1
C:\WINDOWS\system32\ghhkj.ini
C:\WINDOWS\system32\gjfjqmuh.ini
C:\WINDOWS\system32\hgjlm.bak1
C:\WINDOWS\system32\hgjlm.bak2
C:\WINDOWS\system32\hgjlm.ini
C:\WINDOWS\system32\hjllm.bak1
C:\WINDOWS\system32\hjllm.bak2
C:\WINDOWS\system32\hjllm.ini
C:\WINDOWS\system32\idjvjvif.dll
C:\WINDOWS\system32\ijctcdso.dll
C:\WINDOWS\system32\jewvwjoa.dll
C:\WINDOWS\system32\jleahhwf.dll
C:\WINDOWS\system32\jlnmp.bak1
C:\WINDOWS\system32\jlnmp.bak2
C:\WINDOWS\system32\jlnmp.ini
C:\WINDOWS\system32\keotfdcx.dll
C:\WINDOWS\system32\kjjlm.bak1
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\knnjqgxa.ini
C:\WINDOWS\system32\krayrutd.ini
C:\WINDOWS\system32\kwhpysgt.ini
C:\WINDOWS\system32\lbnlvmom.dll
C:\WINDOWS\system32\lnnmp.bak1
C:\WINDOWS\system32\lnnmp.bak2
C:\WINDOWS\system32\lnnmp.ini
C:\WINDOWS\system32\lnnmp.ini2
C:\WINDOWS\system32\lrogoxwn.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\msivvjin.ini
C:\WINDOWS\system32\msivvjin.ini2
C:\WINDOWS\system32\nebbhfbx.ini
C:\WINDOWS\system32\njqmckym.ini
C:\WINDOWS\system32\nmllm.bak1
C:\WINDOWS\system32\nmllm.bak2
C:\WINDOWS\system32\nmllm.ini
C:\WINDOWS\system32\nnnmp.bak1
C:\WINDOWS\system32\nnnmp.ini
C:\WINDOWS\system32\nwhlehed.dll
C:\WINDOWS\system32\nyvoscmh.ini
C:\WINDOWS\system32\oelfejmj.ini
C:\WINDOWS\system32\ohaijijx.ini
C:\WINDOWS\system32\oinstnmd.ini
C:\WINDOWS\system32\onnmdgla.ini
C:\WINDOWS\system32\onnmp.bak1
C:\WINDOWS\system32\onnmp.ini
C:\WINDOWS\system32\orutv.bak1
C:\WINDOWS\system32\orutv.ini
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pdkjbafu.ini
C:\WINDOWS\system32\prqss.bak1
C:\WINDOWS\system32\prqss.ini
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qfprbbeb.dll
C:\WINDOWS\system32\qpqyfjiq.ini
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrutv.bak1
C:\WINDOWS\system32\qrutv.ini
C:\WINDOWS\system32\qwcrfxcc.ini
C:\WINDOWS\system32\rpldptmn.ini
C:\WINDOWS\system32\rqtss.bak1
C:\WINDOWS\system32\rqtss.ini
C:\WINDOWS\system32\rrdmccej.ini
C:\WINDOWS\system32\snqiyyfq.dll
C:\WINDOWS\system32\stutv.bak1
C:\WINDOWS\system32\stutv.ini
C:\WINDOWS\system32\tacdowdk.ini
C:\WINDOWS\system32\ttutv.bak1
C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini2
C:\WINDOWS\system32\ttutv.tmp
C:\WINDOWS\system32\ucvidior.dll
C:\WINDOWS\system32\udxbblcm.ini
C:\WINDOWS\system32\vabiekvh.ini
C:\WINDOWS\system32\vegnmtcq.ini
C:\WINDOWS\system32\vonlbupw.ini
C:\WINDOWS\system32\wanpacket.dll
C:\WINDOWS\system32\wjldnusv.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\wqcuhjxk.ini
C:\WINDOWS\system32\wtvvcmey.ini
C:\WINDOWS\system32\wxogyuck.ini
C:\WINDOWS\system32\wyadd.bak1
C:\WINDOWS\system32\wyadd.ini
C:\WINDOWS\system32\xadrfump.ini
C:\WINDOWS\system32\xdjoyaxv.ini
C:\WINDOWS\system32\xeaalcgi.ini
C:\WINDOWS\system32\xogemuvr.ini
C:\WINDOWS\system32\xvwaovtj.ini
C:\WINDOWS\system32\xxlfdmct.ini
C:\WINDOWS\system32\ybadd.bak2
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\ycbeg.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\LEGACY_SFSYNC02
-------\DomainService
-------\NPF
-------\sfsync02


((((((((((((((((((((((((( Files Created from 2007-12-05 to 2008-01-05 )))))))))))))))))))))))))))))))
.

2008-01-05 15:16 . 2008-01-05 15:16 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 14:27 . 2008-01-05 14:27 <DIR> d-------- C:\VundoFix Backups
2008-01-05 12:45 . 2008-01-05 13:35 354 ---hs---- C:\WINDOWS\system32\pdtfijws.ini
2008-01-04 11:16 . 2008-01-04 14:57 474 ---hs---- C:\WINDOWS\system32\uxhkfugi.ini
2008-01-03 17:35 . 2008-01-04 11:11 354 ---hs---- C:\WINDOWS\system32\pathcuto.ini
2008-01-03 13:15 . 2008-01-03 13:15 294 ---hs---- C:\WINDOWS\system32\ftvpqxou.ini
2008-01-02 13:56 . 2008-01-02 13:57 354 ---hs---- C:\WINDOWS\system32\cdkhmcep.ini
2008-01-02 12:57 . 2008-01-02 12:57 294 ---hs---- C:\WINDOWS\system32\rwchxlwj.ini
2008-01-01 19:31 . 2008-01-01 20:01 23 --a------ C:\WINDOWS\popcinfot.dat
2008-01-01 15:01 . 2008-01-01 16:39 414 ---hs---- C:\WINDOWS\system32\smjynmvs.ini
2008-01-01 13:19 . 2008-01-01 13:19 294 ---hs---- C:\WINDOWS\system32\sbspyaht.ini
2007-12-31 12:05 . 2007-12-31 12:13 474 ---hs---- C:\WINDOWS\system32\dsvjhpyc.ini
2007-12-31 11:54 . 2007-12-31 11:54 294 ---hs---- C:\WINDOWS\system32\vugtedko.ini
2007-12-31 00:20 . 2007-12-31 00:20 534 ---hs---- C:\WINDOWS\system32\ggxbkxgv.ini
2007-12-30 23:06 . 2007-12-30 23:14 474 ---hs---- C:\WINDOWS\system32\yrqvrpss.ini
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-30 21:14 . 2007-12-30 21:58 354 ---hs---- C:\WINDOWS\system32\byarxcjr.ini
2007-12-30 16:46 . 2007-12-30 16:47 414 ---hs---- C:\WINDOWS\system32\neenoufh.ini
2007-12-30 12:34 . 2007-12-30 16:39 354 ---hs---- C:\WINDOWS\system32\jeptewdh.ini
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 17:37 . 2007-12-29 18:45 594 ---hs---- C:\WINDOWS\system32\qmavtwkq.ini
2007-12-29 14:10 . 2007-12-29 17:29 474 ---hs---- C:\WINDOWS\system32\clcgywad.ini
2007-12-29 13:18 . 2007-12-29 14:02 354 ---hs---- C:\WINDOWS\system32\kbpyuujh.ini
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 21:36 . 2007-12-28 21:36 294 ---hs---- C:\WINDOWS\system32\kuyokutk.ini
2007-12-28 20:11 . 2007-12-28 20:11 294 ---hs---- C:\WINDOWS\system32\nfxuerye.ini
2007-12-28 13:15 . 2007-12-28 16:35 414 ---hs---- C:\WINDOWS\system32\dflxrnqk.ini
2007-12-28 12:30 . 2007-12-28 12:30 294 ---hs---- C:\WINDOWS\system32\etsgefsd.ini
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-28 11:24 . 2007-12-28 11:24 474 ---hs---- C:\WINDOWS\system32\mypywocv.ini
2007-12-28 11:23 . 2007-12-28 11:23 414 ---hs---- C:\WINDOWS\system32\gicnwgfq.ini
2007-12-27 21:15 . 2007-12-28 11:12 354 ---hs---- C:\WINDOWS\system32\hlagnivr.ini
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-27 09:27 . 2007-12-27 09:27 294 ---hs---- C:\WINDOWS\system32\vkdorxjy.ini
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:34 . 2007-12-26 21:34 294 ---hs---- C:\WINDOWS\system32\nacrmimk.ini
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-26 17:21 . 2007-12-26 17:21 354 ---hs---- C:\WINDOWS\system32\trhygbxq.ini
2007-12-26 15:45 . 2007-12-26 15:45 294 ---hs---- C:\WINDOWS\system32\ymxvygsb.ini
2007-12-26 12:20 . 2007-12-26 12:20 294 ---hs---- C:\WINDOWS\system32\dhuxinya.ini
2007-12-25 21:45 . 2007-12-25 21:46 354 ---hs---- C:\WINDOWS\system32\qnyxgbjg.ini
2007-12-25 14:28 . 2007-12-25 14:28 294 ---hs---- C:\WINDOWS\system32\djdnjtrs.ini
2007-12-25 12:48 . 2007-12-25 14:22 354 ---hs---- C:\WINDOWS\system32\goqidqfu.ini
2007-12-24 23:28 . 2007-12-24 23:28 294 ---hs---- C:\WINDOWS\system32\wxmyxdjy.ini
2007-12-24 21:54 . 2007-12-24 21:54 534 ---hs---- C:\WINDOWS\system32\pqqagpjp.ini
2007-12-23 21:39 . 2007-12-24 21:46 474 ---hs---- C:\WINDOWS\system32\efavoych.ini
2007-12-23 21:14 . 2007-12-23 21:14 294 ---hs---- C:\WINDOWS\system32\dbjhaybs.ini
2007-12-21 16:51 . 2007-12-21 16:52 474 ---hs---- C:\WINDOWS\system32\htxmkdvb.ini
2007-12-21 15:48 . 2007-12-21 15:48 414 ---hs---- C:\WINDOWS\system32\opjfihwl.ini
2007-12-21 14:56 . 2007-12-21 15:40 354 ---hs---- C:\WINDOWS\system32\rkfqwxnk.ini
2007-12-20 14:54 . 2007-12-20 14:54 354 ---hs---- C:\WINDOWS\system32\wujevtak.ini
2007-12-20 13:52 . 2007-12-20 13:52 294 ---hs---- C:\WINDOWS\system32\bsjbwpfa.ini
2007-12-20 10:15 . 2007-12-20 10:15 294 ---hs---- C:\WINDOWS\system32\eboefsaf.ini
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-19 17:52 . 2007-12-19 23:13 294 ---hs---- C:\WINDOWS\system32\smrfmhtx.ini
2007-12-19 11:08 . 2007-12-19 11:08 294 ---hs---- C:\WINDOWS\system32\vtacryyr.ini
2007-12-18 17:50 . 2007-12-18 17:50 294 ---hs---- C:\WINDOWS\system32\pfsgxhdh.ini
2007-12-18 10:49 . 2007-12-18 14:37 294 ---hs---- C:\WINDOWS\system32\yselglkf.ini
2007-12-17 18:31 . 2007-12-17 18:32 114 --a------ C:\WINDOWS\system32\jpirvbvj.dat
2007-12-17 18:28 . 2007-12-17 18:28 294 ---hs---- C:\WINDOWS\system32\nlbfduvr.ini
2007-12-17 08:42 . 2007-12-17 08:42 294 ---hs---- C:\WINDOWS\system32\eixqbsef.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria
2007-12-10 12:49 . 2007-12-10 12:49 354 ---hs---- C:\WINDOWS\system32\yrtbkgiw.ini
2007-12-10 12:28 . 2007-12-10 12:28 294 ---hs---- C:\WINDOWS\system32\xknclkxi.ini
2007-12-08 19:02 . 2007-12-08 19:02 354 ---hs---- C:\WINDOWS\system32\dwqjjjkl.ini
2007-12-08 19:00 . 2007-12-08 19:02 294 ---hs---- C:\WINDOWS\system32\jgyhbqod.ini
2007-12-08 17:14 . 2007-12-08 17:14 294 ---hs---- C:\WINDOWS\system32\ixnkmwbo.ini
2007-12-07 16:00 . 2007-12-07 16:00 294 ---hs---- C:\WINDOWS\system32\mvpvgokd.ini
2007-12-07 01:19 . 2007-12-07 01:19 354 ---hs---- C:\WINDOWS\system32\amhnxale.ini
2007-12-06 22:29 . 2007-12-06 22:29 294 ---hs---- C:\WINDOWS\system32\upfydvsg.ini
2007-12-06 16:37 . 2007-12-06 16:38 354 ---hs---- C:\WINDOWS\system32\dfvwjfnu.ini
2007-12-06 16:15 . 2007-12-06 16:15 294 ---hs---- C:\WINDOWS\system32\jhyuhsgj.ini
2007-12-05 18:31 . 2007-12-05 18:32 294 ---hs---- C:\WINDOWS\system32\ipshuhus.ini
2007-12-05 15:56 . 2007-12-05 16:44 294 ---hs---- C:\WINDOWS\system32\tgjxtisy.ini

Llama
2008-01-05, 06:18
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 03:05 122,432 ----a-w C:\WINDOWS\system32\epgtmelk.dll
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-09-18 04:22 694,076 --sh--w C:\WINDOWS\system32\sewmrqnq.ini2
2007-09-25 07:28 693,472 --sh--w C:\WINDOWS\system32\csvroaew.ini2
2007-08-18 11:41 88 --sh--r C:\WINDOWS\system32\77052A6FA7.sys
2007-09-24 07:28 693,472 --sh--w C:\WINDOWS\system32\orkxndag.ini2
2007-09-22 06:43 693,601 --sh--w C:\WINDOWS\system32\emaflsao.ini2
2007-09-27 09:52 693,481 --sh--w C:\WINDOWS\system32\fsswttnt.ini2
.

<pre>
----a-w 5,434,579 2005-01-26 23:28:00 C:\Program Files\STI\SPIRIT_Custom\Media\84fb7ffc-18bf-4c8c-8644-3d20ba784bb8\Programs\SPIRIT 12 .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4E0AAE-947C-4C6D-A58C-11531F18F615}]
C:\WINDOWS\system32\jkhfd.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\120512e4]
rundll32.exe C:\WINDOWS\system32\swjiftdp.dll,b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 11:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]
rundll32.exe C:\WINDOWS\system32\vwbpbgwi.dll,forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe]
C:\WINDOWS\system32\winshost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-05 16:49:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI

detected NTDLL code modification:
ZwClose

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-05 16:50:51 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-05 03:50:48
.
2008-01-04 23:28:54 --- E O F ---

ken545
2008-01-05, 17:29
Llama,

Let me tell you whats going on, a few years ago if you caught a malware program or a virus, we ran a tool, deleted a few files and and you where on your way , BUT THAT'S ALL CHANGED This garbage is becoming more difficult to remove as each day goes by.


Had this for a while now and is more of an annoyance than a problem. Actually, you have this reversed, THIS IS A MAJOR PROBLEM This infection has also infected one of your programs and could be putting this stuff back as we remove it.
C:\Program Files\STI\SPIRIT_Custom <-- This program is infected and you may have to uninstall it when we are done here.

What I need you to do is to delete the current copy of Combofix and download the new Beta Version.
Download it Here
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe


Then do this.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::



File::
C:\FOUND.003
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\yselglkf.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\vwbpbgwi.dll
C:\WINDOWS\system32\winshost.exe

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE4E0AAE-947C-4C6D-A58C-11531F18F615}]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\120512e4]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SystemOptimizer]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winshost.exe]

RenV::
----a-w 5,434,579 2005-01-26 23:28:00 C:\Program Files\STI\SPIRIT_Custom\Media\84fb7ffc-18bf-4c8c-8644-3d20ba784bb8\Programs\SPIRIT 12 .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Then I need you to run this online scanner.

ESET Online Scanner

Please go to the following link ESET Online Scanner Link (http://www.eset.com/onlinescan/)
Tick the box YES, I accept the Terms Of Use
Click the Start button
Now click the Install button
Click Start

The scanner engine will initialise and update

Do Not tick the box Remove found threats
Click the Scan button

The scan will now run, please be patient

When the scan finishes click the Details tab
Copy and paste the contents of the :\Program Files\EsetOnlineScanner\log.txt back here.



Let me see the New Combofix log, the ESET log and a New HJT log please

Llama
2008-01-06, 05:09
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2766 (20080104)
# vers_arch_module=1.060 (20071228)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=079d42dd4cbdd940a103de5ba56b20d0
# end=finished
# remove_checked=false
# unwanted_checked=false
# utc_time=2008-01-06 01:32:53
# local_time=2008-01-06 02:32:53 (+1200, New Zealand Daylight Time)
# country="New Zealand"
# osver=5.1.2600 NT Service Pack 2
# scanned=361535
# found=234
# scan_time=4178
C:\Program Files\Trend Micro\HijackThis\backups\backup-20080105-142537-477.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP249\A0099848.DLL Win32/Adware.Virtumonde application 87E1F53F822A401423588A09CF5E923B
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100796.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100797.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100799.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100800.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100807.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100808.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100809.dll Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100810.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100811.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100812.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100813.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100817.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100818.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100819.dll probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100821.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100823.dll Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100824.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100825.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100826.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100827.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100830.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100831.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100832.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100833.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100834.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100835.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100836.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100838.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100839.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100840.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100841.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100845.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100847.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100848.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100849.dll Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100850.dll Win32/Adware.Virtumonde application 6F468B0EC2E9F21DAC962AE00BA71880
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100852.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100854.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100855.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100856.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100857.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100858.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100859.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100860.dll probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100861.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100862.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100863.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100864.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100865.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100867.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100868.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100869.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100870.dll probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100871.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100872.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100874.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100876.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100877.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100883.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100884.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100885.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100886.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100891.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100892.dll Win32/Adware.BHO.V application 3ECFCD051382B8060F9AD55619B335B0
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100893.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100894.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100895.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100897.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100898.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100899.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100901.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100903.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100905.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100909.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100910.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100911.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100912.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100913.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100915.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100916.dll probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100919.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100920.dll probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100921.dll Win32/Adware.Virtumonde application E9E25FBE4AA26FB6FA462C6D2D40C6F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100922.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF

Llama
2008-01-06, 05:12
0\A0100923.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100924.exe Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100925.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100926.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100927.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100928.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100929.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100930.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100931.dll probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100932.dll Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100934.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100935.dll Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100936.exe Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101087.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101088.dll Win32/Adware.BHO.V application 942A5909310A5DF0A30112B7C96A3686
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101089.dll probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101090.dll probably a variant of Win32/Adware.BHO.V application BCCB566A1BABC9041BC6338BC2C4BB80
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101091.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101092.dll probably a variant of Win32/Adware.BHO.V application EBEDEEDEA62290C49DCA6B0976861753
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101093.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101094.dll probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101095.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101096.dll probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101097.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101098.dll Win32/Adware.BHO.V application 05928220329361095DECA53F58AC67D4
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101099.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101100.dll probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101101.dll probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101102.dll Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101103.dll probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101176.exe a variant of Win32/Dialer.ALifeDialer application 35EB365579475048AA24C8D4DD075CD6
C:\System Volume Information\_restore{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP252\A0101562.dll Win32/Adware.BHO.V application FAAAC92FB9D00BE42EC54816CA943EAB
C:\QooBox\Quarantine\C\WINDOWS\aconti.exe.vir a variant of Win32/Dialer.ALifeDialer application 35EB365579475048AA24C8D4DD075CD6
C:\QooBox\Quarantine\C\WINDOWS\system32\anwvsmqn.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\bfxuyhhp.dll.vir Win32/Adware.BHO.V application 942A5909310A5DF0A30112B7C96A3686
C:\QooBox\Quarantine\C\WINDOWS\system32\dgfxsyul.dll.vir probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\QooBox\Quarantine\C\WINDOWS\system32\drhvrkpm.dll.vir probably a variant of Win32/Adware.BHO.V application BCCB566A1BABC9041BC6338BC2C4BB80
C:\QooBox\Quarantine\C\WINDOWS\system32\fvjfrqkt.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\idjvjvif.dll.vir probably a variant of Win32/Adware.BHO.V application EBEDEEDEA62290C49DCA6B0976861753
C:\QooBox\Quarantine\C\WINDOWS\system32\ijctcdso.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\jewvwjoa.dll.vir probably a variant of Win32/Adware.BHO.V application 63E224097D0D4E3DAD3C762024A83DB1
C:\QooBox\Quarantine\C\WINDOWS\system32\jleahhwf.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\keotfdcx.dll.vir probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\QooBox\Quarantine\C\WINDOWS\system32\lbnlvmom.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\lrogoxwn.dll.vir Win32/Adware.BHO.V application 05928220329361095DECA53F58AC67D4
C:\QooBox\Quarantine\C\WINDOWS\system32\nwhlehed.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\qfprbbeb.dll.vir probably a variant of Win32/Adware.BHO.V application 29B3460D91FB2A58C161A8FC18EB18BF
C:\QooBox\Quarantine\C\WINDOWS\system32\snqiyyfq.dll.vir probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\QooBox\Quarantine\C\WINDOWS\system32\ucvidior.dll.vir Win32/Adware.BHO.V application D7F4745B2162189AEB24EEE6B53AB0F3
C:\QooBox\Quarantine\C\WINDOWS\system32\wjldnusv.dll.vir probably a variant of Win32/Adware.BHO.V application 802E6EFC0E5B2A7B3D57DB0C89E2ED20
C:\QooBox\Quarantine\C\WINDOWS\system32\epgtmelk.dll.vir Win32/Adware.BHO.V application FAAAC92FB9D00BE42EC54816CA943EAB
C:\QooBox\Quarantine\C\VundoFix Backups\aaknmvjq.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\adlsnobs.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\ajonptpu.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\alhtvotv.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\becwkcjv.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\bolfucxa.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\bvdkmxth.dll.bad.vir Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\QooBox\Quarantine\C\VundoFix Backups\bvqibiym.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\chglhuof.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\cwetqyra.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\cxokrsci.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\dmogiavb.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\dpqjsxib.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\dvlqgali.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\QooBox\Quarantine\C\VundoFix Backups\elaxnhma.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\fasfeobe.dll.bad.vir Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\QooBox\Quarantine\C\VundoFix Backups\fdjnrltd.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\fesbqxie.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\fklglesy.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\fsfcwhtx.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\geqqsquo.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\gjbgxynq.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\gjifoxau.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\gqvrmqup.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\gykxqafx.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\hdhxgsfp.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\hfsdbvnc.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\hlmkucft.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\hquvjuap.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\hrollkox.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\igpibhxt.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\jkkhhhh.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\QooBox\Quarantine\C\VundoFix Backups\jrodkada.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\kacrvcyg.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\katvejuw.dll.bad.vir Win32/Adware.Virtumonde application 9018245957ACD18A1A6F30401A9D60F2
C:\QooBox\Quarantine\C\VundoFix Backups\kmimrcan.dll.bad.vir Win32/Adware.Virtumonde application 6F468B0EC2E9F21DAC962AE00BA71880
C:\QooBox\Quarantine\C\VundoFix Backups\krxrmntp.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lacfywqk.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lgwtldka.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lkjjjqwd.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\lsobirnp.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\lweibfwf.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\lxglswgq.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\lypgbkip.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 88DBBE426F0B26335528535562E23200
C:\QooBox\Quarantine\C\VundoFix Backups\mecdfdko.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\mfosuqis.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\mrykioey.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\naajkicb.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\nnnolji.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\QooBox\Quarantine\C\VundoFix Backups\obwmknxi.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\oddwwhvn.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\oiitldsl.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\oitqnbnw.dll.bad.vir probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\QooBox\Quarantine\C\VundoFix Backups\ojdoqvdx.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\olqtxsad.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\ovgvfrss.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\pflsjqrh.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\pjpgaqqp.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\prjjbnuj.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\pvbsrogp.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\qbyhnxay.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\qirqllld.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\qxbgyhrt.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\rdgoqilo.dll.bad.vir Win32/Adware.BHO.V application 3ECFCD051382B8060F9AD55619B335B0
C:\QooBox\Quarantine\C\VundoFix Backups\rhhgbaov.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\rnekbkav.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\rtkugord.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\rvudfbln.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\rxqemcmh.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\ryyrcatv.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\sscmyuhb.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\stbkhppd.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\suhuhspi.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\ttlavuqh.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\txdbbppg.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\uexeygti.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\ufqdiqog.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\unfjwvfd.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\usqetaxl.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\vaculevs.dll.bad.vir probably a variant of Win32/Adware.BHO.V application A4B6E07148A096E45C5586BFE11738DD
C:\QooBox\Quarantine\C\VundoFix Backups\vieoegty.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\voumqsqp.dll.bad.vir probably a variant of Win32/Adware.BHO.V application 941B446C31C348FB23505FD762A103D8
C:\QooBox\Quarantine\C\VundoFix Backups\vtsqq.dll.bad.vir Win32/Adware.Virtumonde application E9E25FBE4AA26FB6FA462C6D2D40C6F3
C:\QooBox\Quarantine\C\VundoFix Backups\vyxejewr.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\wigkbtry.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\wqfutprs.exe.bad.vir Win32/Adware.Ezula application 0720FC4070811E7307B3A0AF91E77370
C:\QooBox\Quarantine\C\VundoFix Backups\wrbcjmtt.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\wvuutts.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701

Llama
2008-01-06, 05:16
C:\QooBox\Quarantine\C\VundoFix Backups\wyilrbiv.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\xljkllom.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\xlwfaeiu.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\xthmfrms.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\yayxwxy.dll.bad.vir probably a variant of Win32/Adware.Agent application 76D632B1AA4482D9407CA7B026FC6701
C:\QooBox\Quarantine\C\VundoFix Backups\yjdxymxw.dll.bad.vir Win32/Adware.Virtumonde application 8E42F21596E50EBD6D301354D81A0FE5
C:\QooBox\Quarantine\C\VundoFix Backups\yrdomwof.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF
C:\QooBox\Quarantine\C\VundoFix Backups\ysitxjgt.dll.bad.vir Win32/Adware.Virtumonde application 47999C384644C3AC88A3F7FBACD0C527
C:\QooBox\Quarantine\C\VundoFix Backups\yyfdfvip.exe.bad.vir Win32/TrojanDownloader.Tiny.ID trojan 0C86132A8EE6A7B9056930A90396BBDF

====================================

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:01:35 p.m., on 6/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4913 bytes

Llama
2008-01-06, 05:19
darn that 20K character cap

ComboFix 08-01-06.4 - Joel Gibson 2008-01-06 11:45:17.2 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1137 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel Gibson\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\FOUND.003
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\vwbpbgwi.dll
C:\WINDOWS\system32\winshost.exe
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\yselglkf.ini
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\aaknmvjq.dll.bad
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\adlsnobs.exe.bad
C:\VundoFix Backups\ahdwqato.dll.bad
C:\VundoFix Backups\ajonptpu.exe.bad
C:\VundoFix Backups\alhtvotv.exe.bad
C:\VundoFix Backups\awtsq.dll.bad
C:\VundoFix Backups\awtst.dll.bad
C:\VundoFix Backups\awvtr.dll.bad
C:\VundoFix Backups\awvts.dll.bad
C:\VundoFix Backups\axcuflob.ini.bad
C:\VundoFix Backups\bbsxcuij.dll.bad
C:\VundoFix Backups\becwkcjv.dll.bad
C:\VundoFix Backups\bolfucxa.dll.bad
C:\VundoFix Backups\bvdkmxth.dll.bad
C:\VundoFix Backups\bvqibiym.exe.bad
C:\VundoFix Backups\chglhuof.exe.bad
C:\VundoFix Backups\cwetqyra.exe.bad
C:\VundoFix Backups\cxokrsci.exe.bad
C:\VundoFix Backups\cyphjvsd.dll.bad
C:\VundoFix Backups\ddayv.dll.bad
C:\VundoFix Backups\ddayw.dll.bad
C:\VundoFix Backups\dfhkj.bak1.bad
C:\VundoFix Backups\dfhkj.bak2.bad
C:\VundoFix Backups\dfhkj.ini.bad
C:\VundoFix Backups\dmogiavb.exe.bad
C:\VundoFix Backups\dpqjsxib.exe.bad
C:\VundoFix Backups\dvlqgali.dll.bad
C:\VundoFix Backups\eayswvhm.dll.bad
C:\VundoFix Backups\elaxnhma.dll.bad
C:\VundoFix Backups\eyreuxfn.dll.bad
C:\VundoFix Backups\fasfeobe.dll.bad
C:\VundoFix Backups\fdjnrltd.exe.bad
C:\VundoFix Backups\fesbqxie.dll.bad
C:\VundoFix Backups\fklglesy.dll.bad
C:\VundoFix Backups\fsfcwhtx.exe.bad
C:\VundoFix Backups\gebcd.dll.bad
C:\VundoFix Backups\geeba.dll.bad
C:\VundoFix Backups\geqqsquo.exe.bad
C:\VundoFix Backups\gjbgxynq.dll.bad
C:\VundoFix Backups\gjifoxau.exe.bad
C:\VundoFix Backups\gqvrmqup.exe.bad
C:\VundoFix Backups\gykxqafx.dll.bad
C:\VundoFix Backups\hdhxgsfp.dll.bad
C:\VundoFix Backups\hfsdbvnc.exe.bad
C:\VundoFix Backups\hfuoneen.dll.bad
C:\VundoFix Backups\hlmkucft.exe.bad
C:\VundoFix Backups\hquvjuap.exe.bad
C:\VundoFix Backups\hrollkox.dll.bad
C:\VundoFix Backups\igpibhxt.exe.bad
C:\VundoFix Backups\igufkhxu.dll.bad
C:\VundoFix Backups\jjkmp.bak1.bad
C:\VundoFix Backups\jjkmp.bak2.bad
C:\VundoFix Backups\jjkmp.ini.bad
C:\VundoFix Backups\jkhfd.dll.bad
C:\VundoFix Backups\jkkhhhh.dll.bad
C:\VundoFix Backups\jmjefleo.dll.bad
C:\VundoFix Backups\jrodkada.dll.bad
C:\VundoFix Backups\kacrvcyg.exe.bad
C:\VundoFix Backups\katvejuw.dll.bad
C:\VundoFix Backups\kmimrcan.dll.bad
C:\VundoFix Backups\kqnrxlfd.dll.bad
C:\VundoFix Backups\krxrmntp.exe.bad
C:\VundoFix Backups\ktukoyuk.dll.bad
C:\VundoFix Backups\lacfywqk.exe.bad
C:\VundoFix Backups\lgwtldka.exe.bad
C:\VundoFix Backups\lkjjjqwd.dll.bad
C:\VundoFix Backups\lsobirnp.exe.bad
C:\VundoFix Backups\lweibfwf.dll.bad
C:\VundoFix Backups\lxglswgq.exe.bad
C:\VundoFix Backups\lypgbkip.dll.bad
C:\VundoFix Backups\mecdfdko.exe.bad
C:\VundoFix Backups\mfosuqis.exe.bad
C:\VundoFix Backups\mrykioey.exe.bad
C:\VundoFix Backups\naajkicb.exe.bad
C:\VundoFix Backups\nnnolji.dll.bad
C:\VundoFix Backups\nukbqfth.dll.bad
C:\VundoFix Backups\obwmknxi.dll.bad
C:\VundoFix Backups\oddwwhvn.exe.bad
C:\VundoFix Backups\oiitldsl.exe.bad
C:\VundoFix Backups\oitqnbnw.dll.bad
C:\VundoFix Backups\ojdoqvdx.exe.bad
C:\VundoFix Backups\olqtxsad.exe.bad
C:\VundoFix Backups\otaqwdha.ini.bad
C:\VundoFix Backups\ovgvfrss.exe.bad
C:\VundoFix Backups\pecmhkdc.dll.bad
C:\VundoFix Backups\pflsjqrh.exe.bad
C:\VundoFix Backups\pjpgaqqp.dll.bad
C:\VundoFix Backups\pmkjj.dll.bad
C:\VundoFix Backups\pmnlj.dll.bad
C:\VundoFix Backups\pmnnn.dll.bad
C:\VundoFix Backups\pmnno.dll.bad
C:\VundoFix Backups\pmnyjecn.dll.bad
C:\VundoFix Backups\prjjbnuj.exe.bad
C:\VundoFix Backups\pvbsrogp.exe.bad
C:\VundoFix Backups\qbyhnxay.exe.bad
C:\VundoFix Backups\qirqllld.exe.bad
C:\VundoFix Backups\qjvmnkaa.ini.bad
C:\VundoFix Backups\qkwtvamq.dll.bad
C:\VundoFix Backups\qqstv.bak1.bad
C:\VundoFix Backups\qqstv.bak2.bad
C:\VundoFix Backups\qqstv.ini.bad
C:\VundoFix Backups\qstwa.bak1.bad
C:\VundoFix Backups\qstwa.ini.bad
C:\VundoFix Backups\qxbgyhrt.dll.bad
C:\VundoFix Backups\rdgoqilo.dll.bad
C:\VundoFix Backups\rhhgbaov.exe.bad
C:\VundoFix Backups\rnekbkav.exe.bad
C:\VundoFix Backups\rtkugord.exe.bad
C:\VundoFix Backups\rtvwa.bak1.bad
C:\VundoFix Backups\rtvwa.bak2.bad
C:\VundoFix Backups\rtvwa.ini.bad
C:\VundoFix Backups\rvudfbln.dll.bad
C:\VundoFix Backups\rxqemcmh.dll.bad
C:\VundoFix Backups\ryyrcatv.dll.bad
C:\VundoFix Backups\sniifkxi.dll.bad
C:\VundoFix Backups\sscmyuhb.dll.bad
C:\VundoFix Backups\ssqrq.dll.bad
C:\VundoFix Backups\stbkhppd.dll.bad
C:\VundoFix Backups\stvwa.bak1.bad
C:\VundoFix Backups\stvwa.ini.bad
C:\VundoFix Backups\suhuhspi.dll.bad
C:\VundoFix Backups\svmnyjms.dll.bad
C:\VundoFix Backups\swjiftdp.dll.bad
C:\VundoFix Backups\tstwa.bak1.bad
C:\VundoFix Backups\tstwa.ini.bad
C:\VundoFix Backups\ttlavuqh.exe.bad
C:\VundoFix Backups\txdbbppg.dll.bad
C:\VundoFix Backups\uexeygti.exe.bad
C:\VundoFix Backups\ufqdiqog.dll.bad
C:\VundoFix Backups\unfjwvfd.dll.bad
C:\VundoFix Backups\uoxqpvtf.dll.bad
C:\VundoFix Backups\usqetaxl.exe.bad
C:\VundoFix Backups\vaculevs.dll.bad
C:\VundoFix Backups\vcowypym.dll.bad
C:\VundoFix Backups\vgxkbxgg.dll.bad
C:\VundoFix Backups\vieoegty.exe.bad
C:\VundoFix Backups\voumqsqp.dll.bad
C:\VundoFix Backups\vtsqq.dll.bad
C:\VundoFix Backups\vyxejewr.exe.bad
C:\VundoFix Backups\wigkbtry.dll.bad
C:\VundoFix Backups\wqfutprs.exe.bad
C:\VundoFix Backups\wrbcjmtt.exe.bad
C:\VundoFix Backups\wvuutts.dll.bad
C:\VundoFix Backups\wyilrbiv.exe.bad
C:\VundoFix Backups\xljkllom.exe.bad
C:\VundoFix Backups\xlwfaeiu.exe.bad
C:\VundoFix Backups\xthmfrms.dll.bad
C:\VundoFix Backups\yayxwxy.dll.bad
C:\VundoFix Backups\yjdxymxw.dll.bad
C:\VundoFix Backups\yjxrodkv.dll.bad
C:\VundoFix Backups\yrdomwof.exe.bad
C:\VundoFix Backups\ysitxjgt.dll.bad
C:\VundoFix Backups\yyfdfvip.exe.bad
C:\WINDOWS\popcinfot.dat
C:\WINDOWS\system32\77052A6FA7.sys
C:\WINDOWS\system32\amhnxale.ini
C:\WINDOWS\system32\bsjbwpfa.ini
C:\WINDOWS\system32\byarxcjr.ini
C:\WINDOWS\system32\cdkhmcep.ini
C:\WINDOWS\system32\clcgywad.ini
C:\WINDOWS\system32\csvroaew.ini2
C:\WINDOWS\system32\dbjhaybs.ini
C:\WINDOWS\system32\dflxrnqk.ini
C:\WINDOWS\system32\dfvwjfnu.ini
C:\WINDOWS\system32\dhuxinya.ini
C:\WINDOWS\system32\djdnjtrs.ini
C:\WINDOWS\system32\dsvjhpyc.ini
C:\WINDOWS\system32\dwqjjjkl.ini
C:\WINDOWS\system32\eboefsaf.ini
C:\WINDOWS\system32\efavoych.ini
C:\WINDOWS\system32\eixqbsef.ini
C:\WINDOWS\system32\emaflsao.ini2
C:\WINDOWS\system32\epgtmelk.dll
C:\WINDOWS\system32\etsgefsd.ini
C:\WINDOWS\system32\fsswttnt.ini2
C:\WINDOWS\system32\ftvpqxou.ini
C:\WINDOWS\system32\ggxbkxgv.ini
C:\WINDOWS\system32\gicnwgfq.ini
C:\WINDOWS\system32\goqidqfu.ini
C:\WINDOWS\system32\hlagnivr.ini
C:\WINDOWS\system32\htxmkdvb.ini
C:\WINDOWS\system32\ipshuhus.ini
C:\WINDOWS\system32\ixnkmwbo.ini
C:\WINDOWS\system32\jeptewdh.ini
C:\WINDOWS\system32\jgyhbqod.ini
C:\WINDOWS\system32\jhyuhsgj.ini
C:\WINDOWS\system32\jpirvbvj.dat
C:\WINDOWS\system32\kbpyuujh.ini
C:\WINDOWS\system32\kuyokutk.ini
C:\WINDOWS\system32\mvpvgokd.ini
C:\WINDOWS\system32\mypywocv.ini
C:\WINDOWS\system32\nacrmimk.ini
C:\WINDOWS\system32\neenoufh.ini
C:\WINDOWS\system32\nfxuerye.ini
C:\WINDOWS\system32\nlbfduvr.ini
C:\WINDOWS\system32\opjfihwl.ini
C:\WINDOWS\system32\orkxndag.ini2
C:\WINDOWS\system32\pathcuto.ini
C:\WINDOWS\system32\pdtfijws.ini
C:\WINDOWS\system32\pfsgxhdh.ini
C:\WINDOWS\system32\pqqagpjp.ini
C:\WINDOWS\system32\qmavtwkq.ini
C:\WINDOWS\system32\qnyxgbjg.ini
C:\WINDOWS\system32\rkfqwxnk.ini
C:\WINDOWS\system32\rwchxlwj.ini
C:\WINDOWS\system32\sbspyaht.ini
C:\WINDOWS\system32\sewmrqnq.ini2
C:\WINDOWS\system32\smjynmvs.ini
C:\WINDOWS\system32\smrfmhtx.ini
C:\WINDOWS\system32\tgjxtisy.ini
C:\WINDOWS\system32\trhygbxq.ini
C:\WINDOWS\system32\upfydvsg.ini
C:\WINDOWS\system32\uxhkfugi.ini
C:\WINDOWS\system32\vkdorxjy.ini
C:\WINDOWS\system32\vtacryyr.ini
C:\WINDOWS\system32\vugtedko.ini
C:\WINDOWS\system32\wujevtak.ini
C:\WINDOWS\system32\wxmyxdjy.ini
C:\WINDOWS\system32\xknclkxi.ini
C:\WINDOWS\system32\ymxvygsb.ini
C:\WINDOWS\system32\yrqvrpss.ini
C:\WINDOWS\system32\yrtbkgiw.ini
C:\WINDOWS\system32\yselglkf.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-05 15:16 . 2008-01-06 11:45 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE

Llama
2008-01-06, 05:20
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
--a------ 2003-02-10 14:48 192542 C:\IME\IMJP\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-05 00:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 14:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 14:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-05 00:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 12:10:18
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-06 12:11:00
ComboFix-quarantined-files.txt 2008-01-05 23:10:58
ComboFix2.txt 2008-01-05 03:50:52
.
2008-01-04 23:28:54 --- E O F ---

ken545
2008-01-06, 13:32
Llama Good Morning,

It looks like the File Infector is gone and your HJT log looks fine :bigthumb:

But we still need to do a few things to clean up the leftovers.

Please download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up





Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future





Please download SuperAntiSpyware (http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE)
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.

Don't be alarmed when SAS finds Vundo, it will be just leftover reg entries and such that it will remove.

Let me see the SAS log and one final HJT log and let me know how you feel your system is running now??

Llama
2008-01-06, 14:14
Morning, I spose 1am here in NZ can count as morning... :p:

however, Java is now updated (the online link promped me with a save location?!?!), ATF cleaner did what ever it was sposted to do, SAS can wait untill daytime because itll take long and I wont be awake till your probably asleep anyway, HJT log as folows

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:06:33 a.m., on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5142 bytes

Ive also re-enabled teatimer cause that usually gives me warnings when something is doing something I probably wont like (in this case it did but just couldn't do anything about it)

As far as I can tell, there are no randomly-named .dlls or .exes or registry entries that HJT can find so that must be a good thing right? :D:

I also found it funny when one anti-spyware exe found "malicious entitys" which were the back-ups an other anti-spyware programme had made before deleting them.

ken545
2008-01-06, 17:20
I also found it funny when one anti-spyware exe found "malicious entitys" which were the back-ups an other anti-spyware programme had made before deleting them. Yep, this happens.

I will wait for the SAS log and if all is ok you will be good to go.

Llama
2008-01-07, 01:10
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 01/07/2008 at 11:56 AM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:38:43

Memory items scanned : 446
Memory threats detected : 0
Registry items scanned : 6018
Registry threats detected : 141
File items scanned : 33642
File threats detected : 105

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}\InprocServer32
HKCR\CLSID\{0040C830-13D7-439C-B4F7-DC7EED3FB64D}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVTQ.DLL
HKLM\Software\Classes\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}\InprocServer32
HKCR\CLSID\{1626FC60-560E-48AA-9416-E288721D27B0}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFG.DLL
HKLM\Software\Classes\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}\InprocServer32
HKCR\CLSID\{1B019667-19E4-4EBF-92D6-A96427EBC5F6}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDB.DLL
HKLM\Software\Classes\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}\InprocServer32
HKCR\CLSID\{23B565CE-1C4D-4D24-9773-BEE90C69D20C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTTS.DLL
HKLM\Software\Classes\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}\InprocServer32
HKCR\CLSID\{3C62BEA8-5055-46E0-AABC-9EB694DAB9C6}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}\InprocServer32
HKCR\CLSID\{4E953311-1240-4E21-965D-9CD09CE7FD23}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTS.DLL
HKLM\Software\Classes\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}\InprocServer32
HKCR\CLSID\{5B9B73C3-1ADE-4B4F-AA6B-AFB87DB93DFE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDABB.DLL
HKLM\Software\Classes\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}\InprocServer32
HKCR\CLSID\{5C3F0ED5-9D70-4112-A34D-1B0A87559E2A}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEBX.DLL
HKLM\Software\Classes\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}\InprocServer32
HKCR\CLSID\{6794FE3E-E6EC-49FE-B308-DF3206BC46D9}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBCD.DLL
HKLM\Software\Classes\CLSID\{74435086-2553-4863-8124-7899D709B090}
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}\InprocServer32
HKCR\CLSID\{74435086-2553-4863-8124-7899D709B090}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVVS.DLL
HKLM\Software\Classes\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}\InprocServer32
HKCR\CLSID\{7BD67659-54F7-420A-A9F2-8E94C7F69DC4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNLM.DLL
HKLM\Software\Classes\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}\InprocServer32
HKCR\CLSID\{8052EF7D-5E2E-4822-AA0F-0BE37505543E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLLJH.DLL
HKLM\Software\Classes\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}\InprocServer32
HKCR\CLSID\{8172212E-1678-4294-BB9C-BDE619CA9E22}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCA.DLL
HKLM\Software\Classes\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}\InprocServer32
HKCR\CLSID\{8273E79E-772E-4D6B-9050-FAB12B654A6C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQP.DLL
HKLM\Software\Classes\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}\InprocServer32
HKCR\CLSID\{83A75906-9763-4B73-B965-FCC4AC87965E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJH.DLL
HKLM\Software\Classes\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}\InprocServer32
HKCR\CLSID\{96DABAFC-CCD9-4F4B-8621-81F03C689BD4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTSQO.DLL
HKLM\Software\Classes\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}\InprocServer32
HKCR\CLSID\{B8320F23-74C6-4BBF-AB48-FBD37B7BEA9E}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQPM.DLL
HKLM\Software\Classes\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}\InprocServer32
HKCR\CLSID\{E496DC02-1001-4CAD-B0CB-776900BEA2A2}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\VTUTT.DLL
HKLM\Software\Classes\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}\InprocServer32
HKCR\CLSID\{F669E745-24CE-41E9-9165-360D1F86D26B}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGF.DLL

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}\InprocServer32
HKCR\CLSID\{10763139-E829-43E8-921F-3CCA0D0C0BD7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWTQR.DLL
HKLM\Software\Classes\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}\InprocServer32
HKCR\CLSID\{2CF56A97-7837-41E3-BBFF-73E2D3C02303}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKHFC.DLL
HKLM\Software\Classes\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}\InprocServer32
HKCR\CLSID\{3D53C87B-A100-4BF4-936D-8F74E1EDEE89}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKHI.DLL
HKLM\Software\Classes\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}\InprocServer32
HKCR\CLSID\{4E27F2AD-C95D-4DED-8324-410C7A24FE65}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDCCB.DLL
HKLM\Software\Classes\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}\InprocServer32
HKCR\CLSID\{549C7839-AE42-427A-9FE2-DE8D2ADED5C9}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKJH.DLL
HKLM\Software\Classes\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}\InprocServer32
HKCR\CLSID\{70E0BDB3-2986-4807-99ED-B3D91913AF26}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYW.DLL
HKLM\Software\Classes\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}\InprocServer32
HKCR\CLSID\{710F47D7-611F-45A1-81E2-EFB469E5B37C}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEEDC.DLL
HKLM\Software\Classes\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}\InprocServer32
HKCR\CLSID\{714D3CD9-D791-4841-BAFC-AE244DD4BACE}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTQP.DLL
HKLM\Software\Classes\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}\InprocServer32
HKCR\CLSID\{8708BC28-1CE4-4B2D-A513-C5C16E50AE1F}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGG.DLL
HKLM\Software\Classes\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}\InprocServer32
HKCR\CLSID\{A8AB2466-FB23-45EE-88D3-8171BA00FC50}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSQRQ.DLL
HKLM\Software\Classes\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}\InprocServer32
HKCR\CLSID\{A8F74992-CED4-4CC6-918B-862AE92AFEA3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\DDAYV.DLL
HKLM\Software\Classes\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}\InprocServer32
HKCR\CLSID\{A90B98F0-E8CF-440E-B967-7332EB9B5ED3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\JKKJI.DLL
HKLM\Software\Classes\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}\InprocServer32
HKCR\CLSID\{B0D1F516-8C1B-4E71-8926-F017EDF3D4F7}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMNNM.DLL
HKLM\Software\Classes\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}\InprocServer32
HKCR\CLSID\{C99B63D6-10F3-4C85-B884-B2FDD19C7470}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\MLJGE.DLL
HKLM\Software\Classes\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}\InprocServer32
HKCR\CLSID\{D2089606-6D10-432A-BCD1-448136D0319C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}\InprocServer32
HKCR\CLSID\{FB96AF35-EFA6-4FD0-8588-4DA83D74F501}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\GEBCY.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Joel Gibson\Cookies\joel_gibson@doubleclick[1].txt

Adware.IEPlugin
HKCR\Remove

Trojan.Downloader-CREW
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20080105-142537-477.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100807.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100819.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100834.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100840.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100847.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100860.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100870.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100892.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100898.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100903.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100910.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100916.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100920.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101087.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101088.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101089.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101090.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101091.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101092.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101093.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101094.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101095.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101096.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101097.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101098.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101099.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101100.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101101.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101102.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP251\A0101103.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP252\A0101562.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\ANWVSMQN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BFXUYHHP.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DGFXSYUL.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DRHVRKPM.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FVJFRQKT.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IDJVJVIF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IJCTCDSO.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JEWVWJOA.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JLEAHHWF.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KEOTFDCX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LBNLVMOM.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LROGOXWN.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NWHLEHED.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QFPRBBEB.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SNQIYYFQ.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UCVIDIOR.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WJLDNUSV.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EPGTMELK.DLL.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\BECWKCJV.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\DVLQGALI.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\GYKXQAFX.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\HROLLKOX.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\JRODKADA.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\LWEIBFWF.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\LYPGBKIP.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\OITQNBNW.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\RDGOQILO.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\RXQEMCMH.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\STBKHPPD.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\TXDBBPPG.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\VACULEVS.DLL.BAD.VIR
C:\QOOBOX\QUARANTINE\C\VUNDOFIX BACKUPS\VOUMQSQP.DLL.BAD.VIR

Adware.WhenU
C:\PROGRAM FILES\DAEMON TOOLS\SETUPDTSB.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP249\A0099848.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100845.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100865.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100926.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{EEB4F3AE-BAF9-41B0-86FD-73AF6AD6D142}\RP250\A0100931.DLL


Cheers! :bigthumb:

ken545
2008-01-07, 01:24
WOW !! You had a ton of bad stuff it removed. You have to be careful of what you download and the sites you go in, the threats out there now are real nasty, some going around that can't be cleaned, a reformat of windows is the only option, so watch yourself.

All the entries we removed are backed up in System Restore, we need to flush it all out.
System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.


Right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Reboot your computer


Turn ON System Restore.


Right-click My Computer.
ClickProperties.
Click the System Restore tab.
UN-Check Turn off System Restore on all Drives.
Click Apply, and then click OK.



Create a new Restore Point <-- Very Important


Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- If you need it


Post one last HJT log for review and let me know how your system is running now ???

Llama
2008-01-07, 02:58
System restore turned off, then on the created a restore point:Check

HJT log: Check

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:50:11 p.m., on 7/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: (no name) - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - (no file)
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - (no file)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - (no file)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E5C5FC47-A373-4535-94A4-D37D93300479} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - (no file)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - (no file)
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byxyvut - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7519 bytes

im a tad supicious of the many 02 Browser Help Objects with no name or file because thats what most of the vundo ones were, albit, spybot nor comodo firewall came up with anything so im going to assume thats alright. Can I now remove SAS, vundofix.exe etc.. (i will keep spybot, comodo and find my self an anti-virus programme)?

Otherwise, thanks for all the help!

ken545
2008-01-07, 04:39
Not sure why all that came back, do this as there all related to Vundo, although there are no files but those entries should be gone.

Keep this disabled until I give you the all clear. Its possible that it prevented SAS from removing those entries
You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer for it to take effect.




Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: (no name) - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - (no file)
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - (no file)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - (no file)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E5C5FC47-A373-4535-94A4-D37D93300479} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - (no file)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - (no file)
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - (no file)

O20 - Winlogon Notify: byxyvut - C:\WINDOWS\



Drag Combofix to the trash and download and run the newest version that was just posted yesterday.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the New Combofix log and a New HJT log

Llama
2008-01-07, 13:02
ComboFix 08-01-04.1 - Joel Gibson 2008-01-07 23:40:12.3 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.668 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((( Files Created from 2007-12-07 to 2008-01-07 )))))))))))))))))))))))))))))))
.

2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\SUPERAntiSpyware.com
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 00:48 . 2008-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 00:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 12:57 . 2008-01-06 12:57 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-11 12:54 . 2007-12-11 12:54 294 ---hs---- C:\WINDOWS\system32\bhuymcss.ini
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-06 11:54:08 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-06 11:54:08 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-06 11:54:08 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-07-11 12:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 09:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-11 12:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 09:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-11 13:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 10:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 02:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 02:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 07:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 00:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 05:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 05:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 03:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-12 22:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2004-12-06 22:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81FC19CA-4C54-4AB6-8952-341345BB8E7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A204BC7D-6B84-4915-A629-76F790E96751}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACD52C84-DCCD-4A64-ACF3-478DA69B95CF}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2007-03-09 11:09 63712 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 19:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe --force_start_minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
C:\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2001-07-09 11:50 155648 --a------ C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe /run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-07 23:59:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-08 0:00:45
ComboFix-quarantined-files.txt 2008-01-07 11:00:42
ComboFix3.txt 2008-01-05 03:50:52
ComboFix2.txt 2008-01-05 23:11:02
.
2008-01-04 23:28:54 --- E O F ---

Llama
2008-01-07, 13:04
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:03:19 a.m., on 8/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5544 bytes

btw, your 1st combo fix link is broken (for me anyway)

ken545
2008-01-07, 13:45
Good Morning,

For me it is anyway :laugh: Must be lunch time where your at??

Both Combofix links worked for me, must be on your end.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad



File::
C:\WINDOWS\system32\guard32.dll.vir
C:\WINDOWS\system32\bhuymcss.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81FC19CA-4C54-4AB6-8952-341345BB8E7C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A204BC7D-6B84-4915-A629-76F790E96751}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACD52C84-DCCD-4A64-ACF3-478DA69B95CF}]


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.



C:\Program Files\STI <--This program may still be infected, you need to uninstall it via the Add Remove Programs in the Control Panel and then reboot and if the STI folder is still present, delete it, then you can reinstall that program if you need it.

Llama
2008-01-08, 14:39
For me it is anyway Must be lunch time where your at?? heh, according to me, you posted at 00:45am New Zealand time, so not quite :D:


CF log

ComboFix 08-01-07.5 - Joel Gibson 2008-01-09 1:02:03.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.726 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel Gibson\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\bhuymcss.ini
C:\WINDOWS\system32\guard32.dll.vir
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bhuymcss.ini
C:\WINDOWS\system32\guard32.dll.vir

.
((((((((((((((((((((((((( Files Created from 2007-12-08 to 2008-01-08 )))))))))))))))))))))))))))))))
.

2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\SUPERAntiSpyware.com
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 00:48 . 2008-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 00:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 12:57 . 2008-01-06 12:57 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini
2007-12-11 21:53 . 2007-12-11 21:53 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\ATI
2007-12-10 14:26 . 2007-12-10 14:27 <DIR> d-------- C:\Program Files\Aquaria

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 03:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\ATI
2007-11-08 21:14 --------- d-----w C:\Program Files\Synaesthete
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-10-10 23:56 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-10 23:56 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-10 23:56 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-10 23:56 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-10-10 23:56 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-10-10 23:56 1,159,680 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-10 23:55 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-10 23:55 6,065,664 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-10 23:55 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-10 23:55 478,208 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-10 23:55 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-10 23:55 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-10 23:55 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-10 23:55 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-10 23:55 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-10 23:55 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-10 23:55 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-10 23:55 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-10 23:55 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-10 23:55 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-10 23:55 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-10 23:55 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 10:59 70,656 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 10:59 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 10:59 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 05:46 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
+ 2008-01-06 11:54:08 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2008-01-06 11:54:08 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2008-01-06 11:54:08 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-07-11 12:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 09:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-11 12:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 09:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-11 13:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 10:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 02:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 02:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 07:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 00:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 05:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 05:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 03:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-12 22:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
+ 2004-12-06 22:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06 1318912]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
--a------ 2003-02-10 14:48 192542 C:\IME\IMJP\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-05 00:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 14:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 14:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-05 00:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-09 01:29:04
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-09 1:29:48
ComboFix-quarantined-files.txt 2008-01-08 12:29:46
ComboFix4.txt 2008-01-05 03:50:52
ComboFix3.txt 2008-01-05 23:11:02
ComboFix2.txt 2008-01-07 11:00:48
.
2008-01-04 23:28:54 --- E O F ---

Llama
2008-01-08, 14:40
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:53 a.m., on 9/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5247 bytes

ken545
2008-01-08, 19:42
Your log looks fine, but do me a favor, use your computer and post a new HJT log in a few days and lets make sure nothing has returned. You can go ahead and re enable the Tea Timer if you wish.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



If you install Spyware Blaster and Spyware Guard, do not enable the Tea Timer in Spybot Search and Destroy or they will conflict.
Here are some free programs to install, don't leave home without them

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.


Glad we could help.

Safe Surfn
Ken

Llama
2008-01-09, 00:10
Thanks a bunch for your help. I also got rid of Spirit (the STI programme files folder) since there was a newer version out anyway.

ken545
2008-01-09, 21:00
Thats fine, post a log in a few days if you can.

Ken:euro:

Llama
2008-01-10, 01:20
well, the no-names no-files are back

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:18:50 p.m., on 10/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Xfire\xfire.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {089BB353-5ED8-4C9B-866C-31605CFD2EFF} - (no file)
O2 - BHO: (no name) - {0F13071E-0B38-4324-839C-CA20E1C8C27C} - (no file)
O2 - BHO: (no name) - {153E1C77-992C-47A7-884D-04C89AF8E73F} - (no file)
O2 - BHO: (no name) - {203f3bcc-2e8e-4b41-ba05-16210261dcfd} - (no file)
O2 - BHO: (no name) - {2B380D9A-61A6-4D9F-97C0-4916CC7003EA} - (no file)
O2 - BHO: (no name) - {2F626105-5DC9-4623-A85B-67E64503249B} - (no file)
O2 - BHO: (no name) - {2F7A9AF9-2277-4C31-B19E-7B09931AC99F} - (no file)
O2 - BHO: (no name) - {31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4} - (no file)
O2 - BHO: (no name) - {3496AEAA-BD5E-4FC9-8E9E-66725F6A545B} - (no file)
O2 - BHO: (no name) - {36330830-6053-4E17-9B59-B55CF7101A19} - (no file)
O2 - BHO: (no name) - {37024FFE-F851-45A4-81DE-372AE57056C3} - (no file)
O2 - BHO: (no name) - {46782F63-2C18-4B43-90EC-C63E8AF6166B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59DFAEF9-71AB-44D0-ACE5-065317A0B614} - (no file)
O2 - BHO: (no name) - {6AE40AC7-A7FB-4077-B271-5A156B9D980D} - (no file)
O2 - BHO: (no name) - {733E9132-53CA-4C97-9AC9-145C4502FA20} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A} - (no file)
O2 - BHO: (no name) - {81FC19CA-4C54-4AB6-8952-341345BB8E7C} - (no file)
O2 - BHO: (no name) - {A204BC7D-6B84-4915-A629-76F790E96751} - (no file)
O2 - BHO: (no name) - {ACD52C84-DCCD-4A64-ACF3-478DA69B95CF} - (no file)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O2 - BHO: (no name) - {C4D3D881-5B72-4966-8418-4B1C3C6D8D5B} - (no file)
O2 - BHO: (no name) - {C744ED46-F576-4C63-B383-8A80CFCBC5F5} - (no file)
O2 - BHO: (no name) - {CA3EA2D9-48F5-4012-8C1A-10274F99A3FD} - (no file)
O2 - BHO: (no name) - {E5C5FC47-A373-4535-94A4-D37D93300479} - (no file)
O2 - BHO: (no name) - {E735962A-4C19-4447-BE6F-0BA3CE6EAE44} - (no file)
O2 - BHO: (no name) - {E96D4F03-E048-46DD-98D7-B15530AF90EC} - (no file)
O2 - BHO: (no name) - {EE403AD3-4C0A-48D4-9618-BC8D5838CD9E} - (no file)
O2 - BHO: (no name) - {EFD2D48C-972D-48F3-BD00-089DFB39DAEC} - (no file)
O2 - BHO: (no name) - {F5CB5F68-091E-4F25-8998-40B75CF3D268} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O20 - Winlogon Notify: byxyvut - C:\WINDOWS\
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7389 bytes


sigh

ken545
2008-01-10, 01:24
You may still have remnants of the file infecter

Download http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe
to your Desktop.

Double click RenV.exe to run it
It will produce a log for you, please post it.

Llama
2008-01-11, 04:59
Ran on Fri 11/01/2008 - 13:59:56.82

Entries: 0 (0)
Directories: 0 Files: 0
Bytes: 0 Blocks: 0



uhhh yeah....

ken545
2008-01-11, 13:40
We are going go have to start over , drag Combofix to the trash and download the latest version.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Llama
2008-01-14, 04:05
ComboFix 08-01-10.2 - Joel Gibson 2008-01-14 14:37:21.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.666 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 14:37 . 2008-01-14 14:37 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-11 13:37 . 2008-01-11 13:37 <DIR> d--hs---- C:\FOUND.004
2008-01-10 16:51 . 2008-01-10 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 11:14 . 2008-01-12 11:25 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 00:48 . 2008-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 00:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 12:57 . 2008-01-06 12:57 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 08:53 --------- d-----w C:\Documents and Settings\Guest\Application Data\ATI
2007-12-10 01:27 --------- d-----w C:\Program Files\Aquaria
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-11 03:09:22 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-01-10 08:02:00 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2007-07-11 03:09:28 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-01-10 08:02:06 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2007-07-11 03:09:28 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-01-10 08:02:06 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2007-07-11 03:09:30 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-01-10 08:02:06 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2007-07-11 03:09:26 2,902,016 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-01-10 08:02:04 2,902,016 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2007-07-11 03:09:18 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-01-10 08:01:58 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2007-07-11 03:09:18 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-01-10 08:01:58 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2007-07-11 03:09:34 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-01-10 08:02:10 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2007-07-11 03:09:24 5,156,864 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-10 08:02:02 5,156,864 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-07-11 03:09:22 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-01-10 08:02:00 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2007-07-11 03:09:18 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-01-10 08:01:58 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2007-07-11 03:09:20 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-01-10 08:01:58 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2007-07-11 03:09:28 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-01-10 08:02:06 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2007-07-11 03:09:28 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-01-10 08:02:06 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2007-07-11 03:09:28 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-01-10 08:02:06 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2007-07-11 03:09:20 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-01-10 08:01:58 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2007-07-11 03:09:20 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-01-10 08:01:58 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2007-07-11 03:09:20 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-01-10 08:02:00 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2007-07-11 03:09:20 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-01-10 08:02:00 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2007-07-11 03:09:20 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-01-10 08:01:58 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2007-07-11 03:09:34 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-01-10 08:02:12 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2007-07-11 03:09:34 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-01-10 08:02:12 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2007-07-11 03:09:16 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-01-10 08:01:56 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2007-07-11 03:09:34 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-01-10 08:02:10 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2007-07-11 03:09:36 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-01-10 08:02:12 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2007-07-11 03:09:18 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-01-10 08:01:56 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2007-07-11 03:09:16 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-01-10 08:01:56 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2007-07-11 03:09:18 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-01-10 08:01:56 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2007-07-11 03:09:32 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-01-10 08:02:08 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2007-07-11 03:09:22 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-01-10 08:02:00 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2007-07-11 03:09:32 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-01-10 08:02:08 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2007-07-11 03:09:30 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-01-10 08:02:08 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2007-07-11 03:09:18 888,832 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-01-10 08:01:58 888,832 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2007-07-11 03:09:28 5,001,216 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-01-10 08:02:04 5,001,216 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2007-07-11 03:09:22 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-01-10 08:02:02 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2007-07-11 03:09:22 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-01-10 08:02:00 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2007-07-11 03:09:22 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-01-10 08:02:02 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
- 2007-07-11 03:09:32 577,536 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-01-10 08:02:10 577,536 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2007-07-11 03:09:30 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-01-10 08:02:08 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2007-07-11 03:09:34 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-01-10 08:02:10 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2007-07-11 03:09:30 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-01-10 08:02:08 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2007-07-11 03:09:30 131,072 ----a-w

Llama
2008-01-14, 04:06
C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-01-10 08:02:08 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2007-07-11 03:09:22 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-01-10 08:02:00 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2007-07-11 03:09:24 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-01-10 08:02:02 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2007-07-11 03:09:34 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-01-10 08:02:10 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2007-07-11 03:09:24 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-01-10 08:02:02 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2007-07-11 03:09:24 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-01-10 08:02:02 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2007-07-11 03:09:26 5,152,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-01-10 08:02:04 5,152,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2007-07-11 03:09:26 2,027,520 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-01-10 08:02:04 2,027,520 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2007-07-11 03:09:32 2,940,928 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-01-10 08:02:10 2,940,928 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-01-11 00:39:20 26,624 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d6652cfc7f6018eed9f5af0ab54a5fbd\Accessibility.ni.dll
+ 2008-01-11 00:39:22 888,832 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\092bf3cc8044d2d907d217ddadaee5bf\AspNetMMCExt.ni.dll
+ 2008-01-11 00:39:28 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\e916794475f60f6fdeda5abc582ab0e0\CustomMarshalers.ni.dll
+ 2008-01-11 00:39:26 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\b287592c089a5c567ff52af8c9bbfd3f\dfsvc.ni.exe
+ 2008-01-11 00:39:30 880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a332a2f7f965beb9f3b2661c5b7b7920\Microsoft.Build.Engine.ni.dll
+ 2008-01-11 00:39:30 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4f35fff09ced0739ec67374b29ca257c\Microsoft.Build.Framework.ni.dll
+ 2008-01-11 00:39:36 1,687,552 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\40c449b85be08f74666e578de70723b7\Microsoft.Build.Tasks.ni.dll
+ 2008-01-11 00:39:36 163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\2892e08fb3b2dd93f88db30da4437a9f\Microsoft.Build.Utilities.ni.dll
+ 2008-01-11 00:39:40 1,720,320 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\25e198cac97b29d08c492bc5388a9fec\Microsoft.VisualBasic.ni.dll
+ 2008-01-10 08:03:12 11,304,960 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\097857e58668b817a121ec3ce567630d\mscorlib.ni.dll
+ 2008-01-11 00:39:42 1,003,520 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\54f291b3d674c2ea212a9244f3ba9fbd\System.Configuration.ni.dll
+ 2008-01-10 08:03:40 6,676,480 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\de60f8011b746695097401a2e8864f85\System.Data.ni.dll
+ 2008-01-11 00:39:44 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\8b1086c976b2577a95e0e7f113caf7bf\System.Deployment.ni.dll
+ 2008-01-10 08:03:56 10,702,848 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\1c7afdf0a3daa75245e3223c7e749eac\System.Design.ni.dll
+ 2008-01-11 00:39:48 1,216,512 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\046eec3d74cec4cd460ff7c1842d257e\System.DirectoryServices.ni.dll
+ 2008-01-11 00:39:48 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\5449046c90901704a120252427a00033\System.DirectoryServices.Protocols.ni.dll
+ 2008-01-10 08:04:02 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\d32c8d31662ebdc35e3fe1f900e52c33\System.Drawing.Design.ni.dll
+ 2008-01-10 08:04:00 1,601,536 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\1a1c1e312f3aff1208af9c5fd10bd184\System.Drawing.ni.dll
+ 2008-01-11 00:39:50 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a50404715d38a9b2035dcac4d5fbf9c8\System.EnterpriseServices.ni.dll
+ 2008-01-11 00:39:50 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a50404715d38a9b2035dcac4d5fbf9c8\System.EnterpriseServices.Wrapper.dll
+ 2008-01-11 00:39:52 729,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\8962db3b03601d2c02f3836f1e523170\System.Security.ni.dll
+ 2008-01-11 00:39:54 684,032 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\610351fe2a8d287c009a958ac852e2d0\System.Transactions.ni.dll
+ 2008-01-11 00:40:20 2,306,048 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\ab2958c06dce21c6cc3515068671c3a9\System.Web.Mobile.ni.dll
+ 2008-01-11 00:40:20 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\bede7399f09b947c9c27f702bfff7c7a\System.Web.RegularExpressions.ni.dll
+ 2008-01-11 00:40:24 1,941,504 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\0c492219b15640ed399b978141942e54\System.Web.Services.ni.dll
+ 2008-01-11 00:40:16 12,185,600 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\7a66b932276b50c95261a636d7a51f34\System.Web.ni.dll
+ 2008-01-10 08:04:22 13,107,200 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e623dcb4d8d8e98b71a161981632c5d\System.Windows.Forms.ni.dll
+ 2008-01-10 08:04:32 5,623,808 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\c6eff7a5475731ee02f0faf4d10a515b\System.Xml.ni.dll
+ 2008-01-10 08:03:28 8,130,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\4ab4b57f400696ed7e2da1c9b4e8a210\System.ni.dll
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-14 01:33:48 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 01:33:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 01:33:50 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-14 01:33:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat

sorry i took so long but i went away for a bit

ken545
2008-01-14, 04:17
Not a problem on the replies. I do need to see the complete Combofix log and a New HJT log please

Llama
2008-01-14, 06:47
ehh? im sure i posted a second reply with the rest... basted computer. ahwell here it is again (the whole thing)

ComboFix 08-01-10.2 - Joel Gibson 2008-01-14 14:37:21.5 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.666 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
* Created a new restore point
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 14:37 . 2008-01-14 14:37 6,736 --a------ C:\WINDOWS\system32\drivers\PROCEXP90.SYS
2008-01-11 13:37 . 2008-01-11 13:37 <DIR> d--hs---- C:\FOUND.004
2008-01-10 16:51 . 2008-01-10 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 11:14 . 2008-01-12 11:25 139,008 --a------ C:\WINDOWS\system32\guard32.dll.vir
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 00:48 . 2008-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 00:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 12:57 . 2008-01-06 12:57 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-01-05 15:09 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 08:53 --------- d-----w C:\Documents and Settings\Guest\Application Data\ATI
2007-12-10 01:27 --------- d-----w C:\Program Files\Aquaria
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2008-01-05_16.50.18.00 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-11 03:09:22 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
+ 2008-01-10 08:02:00 68,608 ----a-w C:\WINDOWS\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll
- 2007-07-11 03:09:28 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
+ 2008-01-10 08:02:06 72,192 ----a-w C:\WINDOWS\assembly\GAC_32\ISymWrapper\2.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll
- 2007-07-11 03:09:28 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
+ 2008-01-10 08:02:06 4,308,992 ----a-w C:\WINDOWS\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
- 2007-07-11 03:09:30 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
+ 2008-01-10 08:02:06 482,304 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data.OracleClient\2.0.0.0__b77a5c561934e089\System.Data.OracleClient.dll
- 2007-07-11 03:09:26 2,902,016 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
+ 2008-01-10 08:02:04 2,902,016 ----a-w C:\WINDOWS\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll
- 2007-07-11 03:09:18 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
+ 2008-01-10 08:01:58 258,048 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.dll
- 2007-07-11 03:09:18 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
+ 2008-01-10 08:01:58 114,176 ----a-w C:\WINDOWS\assembly\GAC_32\System.EnterpriseServices\2.0.0.0__b03f5f7f11d50a3a\System.EnterpriseServices.Wrapper.dll
- 2007-07-11 03:09:34 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
+ 2008-01-10 08:02:10 260,096 ----a-w C:\WINDOWS\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll
- 2007-07-11 03:09:24 5,156,864 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
+ 2008-01-10 08:02:02 5,156,864 ----a-w C:\WINDOWS\assembly\GAC_32\System.Web\2.0.0.0__b03f5f7f11d50a3a\System.Web.dll
- 2007-07-11 03:09:22 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
+ 2008-01-10 08:02:00 10,752 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll
- 2007-07-11 03:09:18 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
+ 2008-01-10 08:01:58 507,904 ----a-w C:\WINDOWS\assembly\GAC_MSIL\AspNetMMCExt\2.0.0.0__b03f5f7f11d50a3a\AspNetMMCExt.dll
- 2007-07-11 03:09:20 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
+ 2008-01-10 08:01:58 13,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\cscompmgd\8.0.0.0__b03f5f7f11d50a3a\cscompmgd.dll
- 2007-07-11 03:09:28 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
+ 2008-01-10 08:02:06 8,192 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEExecRemote\2.0.0.0__b03f5f7f11d50a3a\IEExecRemote.dll
- 2007-07-11 03:09:28 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
+ 2008-01-10 08:02:06 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IEHost\2.0.0.0__b03f5f7f11d50a3a\IEHost.dll
- 2007-07-11 03:09:28 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
+ 2008-01-10 08:02:06 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\IIEHost\2.0.0.0__b03f5f7f11d50a3a\IIEHost.dll
- 2007-07-11 03:09:20 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
+ 2008-01-10 08:01:58 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Engine\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Engine.dll
- 2007-07-11 03:09:20 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
+ 2008-01-10 08:01:58 36,864 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Framework\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Framework.dll
- 2007-07-11 03:09:20 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
+ 2008-01-10 08:02:00 647,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Tasks\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Tasks.dll
- 2007-07-11 03:09:20 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
+ 2008-01-10 08:02:00 73,728 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Build.Utilities\2.0.0.0__b03f5f7f11d50a3a\Microsoft.Build.Utilities.dll
- 2007-07-11 03:09:20 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
+ 2008-01-10 08:01:58 749,568 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.JScript\8.0.0.0__b03f5f7f11d50a3a\Microsoft.JScript.dll
- 2007-07-11 03:09:34 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
+ 2008-01-10 08:02:12 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility.Data\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.Data.dll
- 2007-07-11 03:09:34 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
+ 2008-01-10 08:02:12 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Compatibility\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Compatibility.dll
- 2007-07-11 03:09:16 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
+ 2008-01-10 08:01:56 28,672 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.Vsa.dll
- 2007-07-11 03:09:34 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
+ 2008-01-10 08:02:10 667,648 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll
- 2007-07-11 03:09:36 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
+ 2008-01-10 08:02:12 5,632 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.VisualC\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualC.Dll
- 2007-07-11 03:09:18 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
+ 2008-01-10 08:01:56 12,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa.Vb.CodeDOMProcessor\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.Vb.CodeDOMProcessor.dll
- 2007-07-11 03:09:16 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
+ 2008-01-10 08:01:56 32,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft.Vsa\8.0.0.0__b03f5f7f11d50a3a\Microsoft.Vsa.dll
- 2007-07-11 03:09:18 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
+ 2008-01-10 08:01:56 7,168 ----a-w C:\WINDOWS\assembly\GAC_MSIL\Microsoft_VsaVb\8.0.0.0__b03f5f7f11d50a3a\Microsoft_VsaVb.dll
- 2007-07-11 03:09:32 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
+ 2008-01-10 08:02:08 110,592 ----a-w C:\WINDOWS\assembly\GAC_MSIL\sysglobl\2.0.0.0__b03f5f7f11d50a3a\sysglobl.dll
- 2007-07-11 03:09:22 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
+ 2008-01-10 08:02:00 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll
- 2007-07-11 03:09:32 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
+ 2008-01-10 08:02:08 413,696 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll
- 2007-07-11 03:09:30 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
+ 2008-01-10 08:02:08 716,800 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Data.SqlXml\2.0.0.0__b77a5c561934e089\System.Data.SqlXml.dll
- 2007-07-11 03:09:18 888,832 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
+ 2008-01-10 08:01:58 888,832 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Deployment\2.0.0.0__b03f5f7f11d50a3a\System.Deployment.dll
- 2007-07-11 03:09:28 5,001,216 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
+ 2008-01-10 08:02:04 5,001,216 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Design\2.0.0.0__b03f5f7f11d50a3a\System.Design.dll
- 2007-07-11 03:09:22 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
+ 2008-01-10 08:02:02 188,416 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices.Protocols\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.Protocols.dll
- 2007-07-11 03:09:22 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
+ 2008-01-10 08:02:00 397,312 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll
- 2007-07-11 03:09:22 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll
+ 2008-01-10 08:02:02 81,920 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing.Design\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.Design.dll

Llama
2008-01-14, 06:48
- 2007-07-11 03:09:32 577,536 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
+ 2008-01-10 08:02:10 577,536 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll
- 2007-07-11 03:09:30 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
+ 2008-01-10 08:02:08 372,736 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll
- 2007-07-11 03:09:34 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
+ 2008-01-10 08:02:10 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Messaging\2.0.0.0__b03f5f7f11d50a3a\System.Messaging.dll
- 2007-07-11 03:09:30 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
+ 2008-01-10 08:02:08 299,008 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Remoting\2.0.0.0__b77a5c561934e089\System.Runtime.Remoting.dll
- 2007-07-11 03:09:30 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
+ 2008-01-10 08:02:08 131,072 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Runtime.Serialization.Formatters.Soap\2.0.0.0__b03f5f7f11d50a3a\System.Runtime.Serialization.Formatters.Soap.dll
- 2007-07-11 03:09:22 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
+ 2008-01-10 08:02:00 258,048 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll
- 2007-07-11 03:09:24 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
+ 2008-01-10 08:02:02 114,688 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll
- 2007-07-11 03:09:34 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
+ 2008-01-10 08:02:10 835,584 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Mobile\2.0.0.0__b03f5f7f11d50a3a\System.Web.Mobile.dll
- 2007-07-11 03:09:24 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
+ 2008-01-10 08:02:02 86,016 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.RegularExpressions\2.0.0.0__b03f5f7f11d50a3a\System.Web.RegularExpressions.dll
- 2007-07-11 03:09:24 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
+ 2008-01-10 08:02:02 823,296 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Web.Services\2.0.0.0__b03f5f7f11d50a3a\System.Web.Services.dll
- 2007-07-11 03:09:26 5,152,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
+ 2008-01-10 08:02:04 5,152,768 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll
- 2007-07-11 03:09:26 2,027,520 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
+ 2008-01-10 08:02:04 2,027,520 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll
- 2007-07-11 03:09:32 2,940,928 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-01-10 08:02:10 2,940,928 ----a-w C:\WINDOWS\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll
+ 2008-01-11 00:39:20 26,624 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Accessibility\d6652cfc7f6018eed9f5af0ab54a5fbd\Accessibility.ni.dll
+ 2008-01-11 00:39:22 888,832 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\AspNetMMCExt\092bf3cc8044d2d907d217ddadaee5bf\AspNetMMCExt.ni.dll
+ 2008-01-11 00:39:28 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\CustomMarshalers\e916794475f60f6fdeda5abc582ab0e0\CustomMarshalers.ni.dll
+ 2008-01-11 00:39:26 15,360 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\b287592c089a5c567ff52af8c9bbfd3f\dfsvc.ni.exe
+ 2008-01-11 00:39:30 880,640 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Eng#\a332a2f7f965beb9f3b2661c5b7b7920\Microsoft.Build.Engine.ni.dll
+ 2008-01-11 00:39:30 81,920 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Fra#\4f35fff09ced0739ec67374b29ca257c\Microsoft.Build.Framework.ni.dll
+ 2008-01-11 00:39:36 1,687,552 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Tas#\40c449b85be08f74666e578de70723b7\Microsoft.Build.Tasks.ni.dll
+ 2008-01-11 00:39:36 163,840 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.Build.Uti#\2892e08fb3b2dd93f88db30da4437a9f\Microsoft.Build.Utilities.ni.dll
+ 2008-01-11 00:39:40 1,720,320 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\25e198cac97b29d08c492bc5388a9fec\Microsoft.VisualBasic.ni.dll
+ 2008-01-10 08:03:12 11,304,960 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\mscorlib\097857e58668b817a121ec3ce567630d\mscorlib.ni.dll
+ 2008-01-11 00:39:42 1,003,520 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Configuration\54f291b3d674c2ea212a9244f3ba9fbd\System.Configuration.ni.dll
+ 2008-01-10 08:03:40 6,676,480 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Data\de60f8011b746695097401a2e8864f85\System.Data.ni.dll
+ 2008-01-11 00:39:44 1,724,416 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Deployment\8b1086c976b2577a95e0e7f113caf7bf\System.Deployment.ni.dll
+ 2008-01-10 08:03:56 10,702,848 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Design\1c7afdf0a3daa75245e3223c7e749eac\System.Design.ni.dll
+ 2008-01-11 00:39:48 1,216,512 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\046eec3d74cec4cd460ff7c1842d257e\System.DirectoryServices.ni.dll
+ 2008-01-11 00:39:48 512,000 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\5449046c90901704a120252427a00033\System.DirectoryServices.Protocols.ni.dll
+ 2008-01-10 08:04:02 229,376 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\d32c8d31662ebdc35e3fe1f900e52c33\System.Drawing.Design.ni.dll
+ 2008-01-10 08:04:00 1,601,536 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Drawing\1a1c1e312f3aff1208af9c5fd10bd184\System.Drawing.ni.dll
+ 2008-01-11 00:39:50 659,456 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a50404715d38a9b2035dcac4d5fbf9c8\System.EnterpriseServices.ni.dll
+ 2008-01-11 00:39:50 294,912 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\a50404715d38a9b2035dcac4d5fbf9c8\System.EnterpriseServices.Wrapper.dll
+ 2008-01-11 00:39:52 729,088 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Security\8962db3b03601d2c02f3836f1e523170\System.Security.ni.dll
+ 2008-01-11 00:39:54 684,032 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Transactions\610351fe2a8d287c009a958ac852e2d0\System.Transactions.ni.dll
+ 2008-01-11 00:40:20 2,306,048 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Mobile\ab2958c06dce21c6cc3515068671c3a9\System.Web.Mobile.ni.dll
+ 2008-01-11 00:40:20 237,568 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\bede7399f09b947c9c27f702bfff7c7a\System.Web.RegularExpressions.ni.dll
+ 2008-01-11 00:40:24 1,941,504 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web.Services\0c492219b15640ed399b978141942e54\System.Web.Services.ni.dll
+ 2008-01-11 00:40:16 12,185,600 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Web\7a66b932276b50c95261a636d7a51f34\System.Web.ni.dll
+ 2008-01-10 08:04:22 13,107,200 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6e623dcb4d8d8e98b71a161981632c5d\System.Windows.Forms.ni.dll
+ 2008-01-10 08:04:32 5,623,808 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System.Xml\c6eff7a5475731ee02f0faf4d10a515b\System.Xml.ni.dll
+ 2008-01-10 08:03:28 8,130,560 ----a-w C:\WINDOWS\assembly\NativeImages_v2.0.50727_32\System\4ab4b57f400696ed7e2da1c9b4e8a210\System.ni.dll
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-01-14 01:33:48 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-14 01:33:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-14 01:33:50 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-14 01:33:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-14 01:33:50 7,139,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-14 01:33:50 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2000-08-30 19:00:00 163,328 ----a-w C:\WINDOWS\erdnt\subs\F3M\ERDNT.EXE
- 2006-04-20 10:51:50 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
+ 2007-10-30 17:20:56 360,064 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
- 2007-07-11 12:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
+ 2007-09-24 09:30:28 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2007-07-11 12:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-09-24 09:30:30 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
- 2007-07-11 13:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-09-24 10:31:42 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
+ 2007-07-27 02:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 02:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-05 07:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 00:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
- 2007-12-02 23:00:06 18,684,536 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2008-01-02 18:21:36 17,642,616 ----a-w C:\WINDOWS\system32\MRT.exe
+ 2007-08-02 05:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 05:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-08 03:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-12 22:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2007-07-11 03:09:44 71,346 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-10 08:02:18 71,346 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-07-11 03:09:44 421,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-10 08:02:18 421,560 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2004-12-06 22:11:34 258,352 ----a-w C:\WINDOWS\system32\unicows.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{089BB353-5ED8-4C9B-866C-31605CFD2EFF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F13071E-0B38-4324-839C-CA20E1C8C27C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{153E1C77-992C-47A7-884D-04C89AF8E73F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{203f3bcc-2e8e-4b41-ba05-16210261dcfd}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B380D9A-61A6-4D9F-97C0-4916CC7003EA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F626105-5DC9-4623-A85B-67E64503249B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F7A9AF9-2277-4C31-B19E-7B09931AC99F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3496AEAA-BD5E-4FC9-8E9E-66725F6A545B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36330830-6053-4E17-9B59-B55CF7101A19}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37024FFE-F851-45A4-81DE-372AE57056C3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46782F63-2C18-4B43-90EC-C63E8AF6166B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59DFAEF9-71AB-44D0-ACE5-065317A0B614}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE40AC7-A7FB-4077-B271-5A156B9D980D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81FC19CA-4C54-4AB6-8952-341345BB8E7C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A204BC7D-6B84-4915-A629-76F790E96751}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACD52C84-DCCD-4A64-ACF3-478DA69B95CF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4D3D881-5B72-4966-8418-4B1C3C6D8D5B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C744ED46-F576-4C63-B383-8A80CFCBC5F5}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA3EA2D9-48F5-4012-8C1A-10274F99A3FD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5C5FC47-A373-4535-94A4-D37D93300479}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E735962A-4C19-4447-BE6F-0BA3CE6EAE44}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E96D4F03-E048-46DD-98D7-B15530AF90EC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE403AD3-4C0A-48D4-9618-BC8D5838CD9E}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD2D48C-972D-48F3-BD00-089DFB39DAEC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5CB5F68-091E-4F25-8998-40B75CF3D268}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvut]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
--a------ 2003-02-10 14:48 192542 C:\IME\IMJP\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-05 00:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 14:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 14:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-05 00:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 14:58:49
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-14 14:59:42
ComboFix-quarantined-files.txt 2008-01-14 01:59:40
ComboFix5.txt 2008-01-05 03:50:52
ComboFix4.txt 2008-01-05 23:11:02
ComboFix3.txt 2008-01-07 11:00:48
ComboFix2.txt 2008-01-08 12:29:50
.
2008-01-09 03:47:56 --- E O F ---

ken545
2008-01-14, 12:18
Hello,

Listen, you need to read the instructions I post and follow them or your just going to slow down the removal process, I asked twice for a new HJT log and do not see it, I also asked that you keep the TeaTimer disabled and its still running. The TeaTimer will most times prevent these removals. There are no files associated with these bad entries so they should go with no problem, but there not.

Disable the TeaTime and shutdown your Anti Virus software.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::



File::
C:\WINDOWS\system32\guard32.dll.vir

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{089BB353-5ED8-4C9B-866C-31605CFD2EFF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0F13071E-0B38-4324-839C-CA20E1C8C27C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{153E1C77-992C-47A7-884D-04C89AF8E73F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{203f3bcc-2e8e-4b41-ba05-16210261dcfd}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B380D9A-61A6-4D9F-97C0-4916CC7003EA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F626105-5DC9-4623-A85B-67E64503249B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2F7A9AF9-2277-4C31-B19E-7B09931AC99F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{31B2E6EC-2CAF-42F2-8A69-D5208B13D3A4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3496AEAA-BD5E-4FC9-8E9E-66725F6A545B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{36330830-6053-4E17-9B59-B55CF7101A19}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37024FFE-F851-45A4-81DE-372AE57056C3}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46782F63-2C18-4B43-90EC-C63E8AF6166B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{59DFAEF9-71AB-44D0-ACE5-065317A0B614}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE40AC7-A7FB-4077-B271-5A156B9D980D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{77C5A4AE-A217-4EF2-A70A-2A41D7D75B0A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{81FC19CA-4C54-4AB6-8952-341345BB8E7C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A204BC7D-6B84-4915-A629-76F790E96751}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ACD52C84-DCCD-4A64-ACF3-478DA69B95CF}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C4D3D881-5B72-4966-8418-4B1C3C6D8D5B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C744ED46-F576-4C63-B383-8A80CFCBC5F5}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA3EA2D9-48F5-4012-8C1A-10274F99A3FD}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E5C5FC47-A373-4535-94A4-D37D93300479}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E735962A-4C19-4447-BE6F-0BA3CE6EAE44}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E96D4F03-E048-46DD-98D7-B15530AF90EC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EE403AD3-4C0A-48D4-9618-BC8D5838CD9E}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{EFD2D48C-972D-48F3-BD00-089DFB39DAEC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5CB5F68-091E-4F25-8998-40B75CF3D268}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxyvut]



Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
together with a new HijackThis log.

Llama
2008-01-18, 00:19
i figured that there is a certian time that you have to wait before posting another reply which was why the HJT logs werent comming through. anyway


ComboFix 08-01-18.1 - Joel Gibson 2008-01-18 10:52:57.6 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.686 [GMT 13:00]
Running from: C:\Documents and Settings\Joel Gibson\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Joel Gibson\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\guard32.dll.vir
.
The following files were disabled during the run:
C:\WINDOWS\system32\guard32.dll


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\guard32.dll.vir

.
((((((((((((((((((((((((( Files Created from 2007-12-18 to 2008-01-18 )))))))))))))))))))))))))))))))
.

2008-01-18 10:49 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-17 14:20 . 2008-01-17 14:20 <DIR> d-------- C:\DRW-1608P3S
2008-01-14 17:39 . 2008-01-14 17:39 <DIR> d--hs---- C:\FOUND.005
2008-01-11 13:37 . 2008-01-11 13:37 <DIR> d--hs---- C:\FOUND.004
2008-01-11 13:29 . 2008-01-11 13:29 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-10 16:51 . 2008-01-10 16:51 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-07 00:54 . 2008-01-07 00:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-01-07 00:48 . 2008-01-07 00:48 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-07 00:48 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-06 12:57 . 2008-01-06 12:57 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-12-30 21:57 . 2007-12-30 21:57 <DIR> d--hs---- C:\FOUND.003
2007-12-29 20:39 . 2007-12-29 20:39 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Command and Conquer 3 Tiberium Wars
2007-12-29 00:06 . 2007-12-29 00:06 <DIR> d-------- C:\Games
2007-12-28 11:29 . 2007-12-28 11:29 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Winamp
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\The Chosen demo
2007-12-27 18:08 . 2007-12-27 18:08 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Frater
2007-12-26 23:00 . 2007-12-26 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2007-12-26 23:00 . 2007-12-26 23:00 81,272 --a------ C:\WINDOWS\system32\drivers\cmdGuard.sys
2007-12-26 23:00 . 2007-12-26 23:00 23,672 --a------ C:\WINDOWS\system32\drivers\cmdhlp.sys
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Program Files\COMODO
2007-12-26 21:21 . 2007-12-26 21:21 <DIR> d-------- C:\Documents and Settings\Joel Gibson\Application Data\Comodo
2007-12-26 18:26 . 2007-12-26 18:26 <DIR> dr-h----- C:\Documents and Settings\Joel Gibson\Application Data\SecuROM
2007-12-26 17:25 . 2007-10-12 15:14 3,734,536 --a------ C:\WINDOWS\system32\d3dx9_36.dll
2007-12-26 17:25 . 2007-10-12 15:14 1,374,232 --a------ C:\WINDOWS\system32\D3DCompiler_36.dll
2007-12-26 17:25 . 2007-10-02 09:56 444,776 --a------ C:\WINDOWS\system32\d3dx10_36.dll
2007-12-26 17:25 . 2007-10-22 03:39 267,272 --a------ C:\WINDOWS\system32\xactengine2_10.dll
2007-12-19 19:57 . 2007-12-26 21:15 1,365 --a------ C:\WINDOWS\wininit.ini

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-11 08:53 --------- d-----w C:\Documents and Settings\Guest\Application Data\ATI
2007-12-10 01:27 --------- d-----w C:\Program Files\Aquaria
2007-11-26 06:30 --------- d-----w C:\Program Files\Fredryk Phantasy
2007-11-24 02:23 1,128 ----a-w C:\Program Files\log.dat
2007-11-23 08:30 --------- d-----w C:\Documents and Settings\Joel Gibson\Application Data\mIRC
2007-11-22 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\dllcache\lsasrv.dll
2007-10-30 17:20 360,064 ----a-w C:\WINDOWS\system32\dllcache\tcpip.sys
2007-10-30 16:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 04:40 222,720 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-21 14:37 17,928 ----a-w C:\WINDOWS\system32\X3DAudio1_2.dll
2007-10-19 22:34 53,880,837 ----a-w C:\Program Files\LastStandInstall.exe
2007-10-19 10:14 10,752 ----a-w C:\WINDOWS\DCEBoot.exe
2007-06-24 08:18 57,992 ----a-w C:\Documents and Settings\Joel Gibson\Application Data\GDIPFONTCACHEV1.DAT
2006-12-20 01:05 35,511 ----a-w C:\Program Files\ReadMe.txt
2004-11-08 20:22 929,792 ----a-w C:\Program Files\SCZ.exe
2001-11-22 23:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
2007-08-18 11:41 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot_2008-01-14_14.59.10.85 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-14 01:33:48 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-17 21:50:02 1,421,312 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-14 01:33:48 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-17 21:50:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-14 01:33:50 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-17 21:50:02 1,417,216 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-14 01:33:50 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-17 21:50:02 8,192 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-14 01:33:50 7,139,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
+ 2008-01-17 21:50:04 7,139,328 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\ntuser.dat
- 2008-01-14 01:33:50 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-17 21:50:04 364,544 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 12:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HTpatch"="C:\WINDOWS\htpatch.exe" [2002-12-19 16:40 28672]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-21 04:16 37376]
"StartCCC"="C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 12:35 90112]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2007-12-26 23:00 1481472]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2007-03-09 11:09 63712 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BitTorrent]
C:\Program Files\BitTorrent\bittorrent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
--a------ 2002-10-15 18:00 1818624 C:\WINDOWS\mixer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\imjpmig]
--a------ 2003-02-10 14:48 192542 C:\IME\IMJP\imjpmig.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
--a------ 2004-08-05 00:00 208952 C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
--a------ 2005-08-11 14:30 249856 C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
--a------ 2005-08-11 14:30 81920 C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
C:\WINDOWS\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
--a------ 2004-08-05 00:00 59392 C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2001-07-09 11:50 155648 C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTVOICE]
--a------ 2001-08-17 22:36 86016 C:\WINDOWS\system32\pctspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
--a------ 2004-08-05 00:00 455168 C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-06-29 06:24 286720 C:\Program Files\QuickTime\QTTask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TalkAndWrite]
C:\Documents and Settings\All Users\Application Data\Skype\Plugins\Plugins\1163D2B46CC742E5A3CC9E4157887751\TalkAndWrite.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"rpcapd"=3 (0x3)
"Pctspk"=2 (0x2)
"WMPNetworkSvc"=3 (0x3)
"Fax"=2 (0x2)

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2007-12-26 23:00]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2007-12-26 23:00]
R2 CbmDev1;CbmDev1;C:\WINDOWS\system32\drivers\CbmDev1.sys [1998-01-16 08:43]
R2 CbmDev2;CbmDev2;C:\WINDOWS\system32\drivers\CbmDev2.sys [1998-01-16 08:43]
R2 CbmDev3;CbmDev3;C:\WINDOWS\system32\drivers\CbmDev3.sys [1998-01-16 08:43]
S3 ipw_mdfl;Wireless Broadband Modem Filter;C:\WINDOWS\system32\DRIVERS\ipw_mdfl.sys []
S3 ipw_mdm;Wireless Broadband Modem (WDM);C:\WINDOWS\system32\DRIVERS\ipw_mdm.sys []
S3 Ptserlp;PCTEL Serial Device Driver for PCI;C:\WINDOWS\system32\DRIVERS\ptserlp.sys [2001-08-17 13:28]
S4 Pctspk;PCTEL Speaker Phone;C:\WINDOWS\system32\pctspk.exe [2001-08-17 22:36]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-18 11:16:23
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\guard32.dll

PROCESS: C:\WINDOWS\system32\lsass.exe [5.01.2600.2180]
-> C:\WINDOWS\system32\guard32.dll
.
Completion time: 2008-01-18 11:17:07
ComboFix-quarantined-files.txt 2008-01-17 22:17:04
ComboFix5.txt 2008-01-05 23:11:02
ComboFix4.txt 2008-01-07 11:00:48
ComboFix3.txt 2008-01-08 12:29:50
ComboFix2.txt 2008-01-14 01:59:44
.
2008-01-09 03:47:56 --- E O F ---

Llama
2008-01-18, 00:35
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:34:29 a.m., on 18/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\en-nz\msntb.dll (file missing)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 5037 bytes

ken545
2008-01-18, 01:37
Log looks good :bigthumb:

You can delete these files if you find them.

C:\FOUND.005
C:\FOUND.004
C:\FOUND.003


Run HJT in a few days and let me know how your doing, if those entries return we will have to dig deeper.

Ken:cowboy:

Llama
2008-01-24, 02:49
Well, my computer died (most probably the processor) and is getting fixed, so im posting from my dads computer, when i get it back up and running i shall post logs and i didnt find the 3 files in C:\ from recolection. Thanks!

ken545
2008-01-24, 05:16
Sorry to hear that, I will be here when your ready.

Ken

Llama
2008-02-13, 11:04
so anyway, after replacing the processor that had glued itself to the heatsink with its own thermal paste :red: I shall post HJT logs...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:55:04 p.m., on 13/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\htpatch.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Xfire\xfire.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Opera 9\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Safer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\DOCUME~1\JOELGI~1\LOCALS~1\Temp\SpybotSD\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O4 - HKLM\..\Run: [HTpatch] C:\WINDOWS\htpatch.exe
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -s
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\JOELGI~1\LOCALS~1\Temp\SpybotSD\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\DOCUME~1\JOELGI~1\LOCALS~1\Temp\SpybotSD\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {CAFEEFAC-0016-0000-0002-ABCDEFFEDCBA} (Java Plug-in 1.6.0_02) -
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 4904 bytes

That took significantly longer than I remeber it taking, probably because I had to get a cheap processor because of my budget :sad: sigh...

ken545
2008-02-13, 11:47
Hello,

Your back, glad your up and running . Most times adding more memory to your system will speed it up. Do you know how much you have?? You can right click on My Computer and go to Properties and down on the bottom of the tab it will tell you, with XP to run nice you should have at least 512 MB of ram. If you need to add memory, I can link you to a site that you can get it from.

Out side of that, your log looks fine :bigthumb: Are you having anymore issues that you feel are malware related.??

tashi
2008-02-25, 00:27
Thank you ken545.