PDA

View Full Version : Need help bad. I think It's Virtumundo



gomer pyle
2008-01-27, 06:05
From what I've read in the forum on Virtumundo my computer is badly infected.
I tried the Kapersky online scanner but it would'nt work with Firefox and I was not able to successfully find an internet connection with Internet Explorer to run the scan.
I hope you can help. Please.
Here is the hijack this file.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:57:29 PM, on 1/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.comcast.net/toolbar2.0/search/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.comcast.net/toolbar2.0/search/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Comcast
O2 - BHO: {27aaf506-2a50-3f58-4cd4-e5c11b961e23} - {32e169b1-1c5e-4dc4-85f3-05a2605faa72} - C:\WINDOWS\system32\wgwldktx.dll
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59DCAE5F-479C-443B-B2AF-E31407BCC8EA} - C:\WINDOWS\system32\ddccd.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O2 - BHO: BndVeano4 BHO Class - {8E4881AC-49E2-4761-9542-7E40C73CFB96} - C:\Program Files\QdrDrive\QdrDrive9.dll
O2 - BHO: MSEvents Object - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\ymhjdxgx.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [winshow] "C:\WINDOWS\winshow .exe"
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [b8cf5291] rundll32.exe "C:\WINDOWS\system32\apbqctha.dll",b
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [QdrPack11] "C:\Program Files\QdrPack\QdrPack11.exe" (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - S-1-5-21-4219811858-3455423638-1855872279-1008 Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe (User '?')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin Cady\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200448995890
O20 - Winlogon Notify: khfddef - khfddef.dll (file missing)
O20 - Winlogon Notify: ymhjdxgx - C:\WINDOWS\SYSTEM32\ymhjdxgx.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\yohjvtxd.exe (file missing)
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 11117 bytes

Shaba
2008-01-28, 12:43
Hi gomer pyle and welcome to Safer Networking Forums :)

Are both AntiVir and McAfee up-to-date?

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here (http://www.bleepingcomputer.com/combofix/how-to-use-combofix)

Post:

- a fresh HijackThis log
- combofix report

gomer pyle
2008-01-28, 21:20
First off thanks for responding to my call for help.
Ihave run both the scans and am posting them in a series of replies because they are too long.
As far as Security programs being up to date - I believe they are but I have issues with both programs. They both are very buggy and do not respond well and ussually must be forced to quit because they become idle or juist freeze up.
Anyway, here are the logs.
Thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:10:36 AM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - S-1-5-21-4219811858-3455423638-1855872279-1008 Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe (User '?')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin Cady\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200448995890
O20 - Winlogon Notify: khfddef - khfddef.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9565 bytes

gomer pyle
2008-01-28, 21:22
ComboFix 08-01-28.2 - Robin Cady 2008-01-28 10:39:29.1 - NTFSx86

Running from: C:\Documents and Settings\Robin Cady\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\bkcrtwnz.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\Documents and Settings\Robin Cady\My Documents\pos292A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos292B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos292C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos292D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos292E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos292F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2930.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2931.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2932.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2933.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2934.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2935.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2936.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2937.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2938.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2939.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos293A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos293B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos293C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos293D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos293E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos293F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2940.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2941.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2942.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2943.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2944.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2945.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2946.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2947.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2948.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2949.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos294A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos294B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos294C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos294D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos294E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos294F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2950.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2951.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2952.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2953.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2954.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2955.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2956.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2957.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2958.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2959.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos295A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos295B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos295C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos295D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos295E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos295F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2960.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2961.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2962.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2963.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2964.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2965.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2966.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2967.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2968.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2969.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos296A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos296B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos296C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos296D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos296E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos296F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2970.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2971.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2972.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2973.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2974.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2975.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2976.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2977.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2978.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2979.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos297A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos297B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos297C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos297D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos297E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos297F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2980.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2981.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2982.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2983.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2984.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2985.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2986.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2987.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2988.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2989.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos298A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos298B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos298C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos298D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos298E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos298F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2990.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2991.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2992.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2993.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2994.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2995.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2996.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2997.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2998.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2999.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos299A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos299B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos299C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos299D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos299E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos299F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29A9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29AA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29AB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29AC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29AD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29AE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29AF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29B9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29BA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29BB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29BC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29BD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29BE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29BF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29C9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29CA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29CB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29CC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29CD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29CE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29CF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29D9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29DA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29DB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29DC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29DD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29DE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29DF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29E9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29EA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29EB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29EC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29ED.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29EE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29EF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29F9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29FA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29FB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29FC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29FD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29FE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos29FF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A00.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A01.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A02.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A03.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A04.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A05.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A06.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A07.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A08.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A09.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A0A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A0B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A0C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A0D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A0E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A0F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A10.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A11.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A12.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A13.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A14.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A15.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A16.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A17.tmp

gomer pyle
2008-01-28, 21:23
C:\Documents and Settings\Robin Cady\My Documents\pos2A18.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A19.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A1A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A1B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A1C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A1D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A1E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A1F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A20.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A21.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A22.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A23.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A24.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A25.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A26.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A27.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A28.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A29.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A2A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A2B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A2C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A2D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A2E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A2F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A30.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A31.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A32.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A33.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A34.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A35.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A36.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A37.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A38.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A39.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A3A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A3B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A3C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A3D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A3E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A3F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A40.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A41.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A42.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A43.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A44.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A45.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A46.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A47.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A48.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A49.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A4A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A4B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A4C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A4D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A4E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A4F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A50.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A51.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A52.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A53.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A54.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A55.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A56.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A57.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A58.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A59.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A5A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A5B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A5C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A5D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A5E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A5F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A60.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A61.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A62.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A63.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A64.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A65.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A66.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A67.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A68.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A69.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A6A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A6B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A6C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A6D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A6E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A6F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A70.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A71.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A72.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A73.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A74.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A75.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A76.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A77.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A78.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A79.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A7A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A7B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A7C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A7D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A7E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A7F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A80.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A81.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A82.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A83.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A84.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A85.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A86.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A87.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A88.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A89.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A8A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A8B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A8C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A8D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A8E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A8F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A90.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A91.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A92.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A93.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A94.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A95.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A96.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A97.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A98.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A99.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A9A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A9B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A9C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A9D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A9E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2A9F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AA9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AAA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AAB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AAC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AAD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AAE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AAF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AB9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ABA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ABB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ABC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ABD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ABE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ABF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AC9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ACA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ACB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ACC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ACD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ACE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ACF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AD9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ADA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ADB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ADC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ADD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ADE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2ADF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AE9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AEA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AEB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AEC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AED.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AEE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AEF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF0.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF1.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF2.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF3.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF4.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF5.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF6.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF7.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF8.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AF9.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AFA.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AFB.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AFC.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AFD.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AFE.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2AFF.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B00.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B01.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B02.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B03.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B04.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B05.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B06.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B07.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B08.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B09.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B0A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B0B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B0C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B0D.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B0E.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B0F.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B10.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B11.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B12.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B13.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B14.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B15.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B16.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B17.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B18.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B19.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B1A.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B1B.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B1C.tmp
C:\Documents and Settings\Robin Cady\My Documents\pos2B1D.tmp
C:\Documents and Settings\Robin Cady\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Robin Cady\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\pos2731.tmp
C:\pos2732.tmp
C:\pos2733.tmp
C:\pos2734.tmp
C:\pos2735.tmp
C:\pos2736.tmp
C:\pos2737.tmp
C:\pos2738.tmp
C:\pos2739.tmp
C:\pos273A.tmp
C:\pos273B.tmp
C:\pos273C.tmp
C:\pos273E.tmp
C:\pos273F.tmp
C:\pos2740.tmp
C:\pos2742.tmp
C:\pos2744.tmp
C:\pos2745.tmp
C:\pos2746.tmp
C:\pos2747.tmp
C:\pos2748.tmp

gomer pyle
2008-01-28, 21:24
C:\pos2749.tmp
C:\pos274A.tmp
C:\pos274B.tmp
C:\pos274C.tmp
C:\pos274D.tmp
C:\pos274E.tmp
C:\pos274F.tmp
C:\pos2750.tmp
C:\pos2751.tmp
C:\pos2753.tmp
C:\pos2754.tmp
C:\pos2755.tmp
C:\pos2756.tmp
C:\pos2757.tmp
C:\pos2758.tmp
C:\pos2759.tmp
C:\pos275A.tmp
C:\pos275B.tmp
C:\pos275C.tmp
C:\pos275E.tmp
C:\pos275F.tmp
C:\pos2760.tmp
C:\pos2761.tmp
C:\pos2762.tmp
C:\pos2763.tmp
C:\pos2764.tmp
C:\pos2765.tmp
C:\pos2766.tmp
C:\pos2767.tmp
C:\pos2768.tmp
C:\pos2769.tmp
C:\pos276A.tmp
C:\pos276B.tmp
C:\pos276C.tmp
C:\pos276D.tmp
C:\pos276E.tmp
C:\pos276F.tmp
C:\pos2770.tmp
C:\pos2771.tmp
C:\pos2772.tmp
C:\pos2773.tmp
C:\pos2774.tmp
C:\pos2775.tmp
C:\pos2776.tmp
C:\pos2777.tmp
C:\pos2778.tmp
C:\pos2779.tmp
C:\pos277A.tmp
C:\pos277B.tmp
C:\pos277C.tmp
C:\pos277D.tmp
C:\pos277E.tmp
C:\pos277F.tmp
C:\pos2780.tmp
C:\pos2781.tmp
C:\pos2782.tmp
C:\pos2783.tmp
C:\pos2784.tmp
C:\pos2785.tmp
C:\pos2786.tmp
C:\pos2787.tmp
C:\pos2788.tmp
C:\pos2789.tmp
C:\pos278A.tmp
C:\pos278B.tmp
C:\pos278C.tmp
C:\pos278D.tmp
C:\pos278E.tmp
C:\pos278F.tmp
C:\pos2790.tmp
C:\pos2791.tmp
C:\pos2792.tmp
C:\pos2793.tmp
C:\pos2794.tmp
C:\pos2795.tmp
C:\pos2796.tmp
C:\pos2797.tmp
C:\pos2798.tmp
C:\pos2799.tmp
C:\pos279A.tmp
C:\pos279B.tmp
C:\pos279C.tmp
C:\pos279D.tmp
C:\pos279E.tmp
C:\pos279F.tmp
C:\pos27A0.tmp
C:\pos27A1.tmp
C:\pos27A2.tmp
C:\pos27A3.tmp
C:\pos27A4.tmp
C:\pos27A5.tmp
C:\pos27A6.tmp
C:\pos27A7.tmp
C:\pos27A8.tmp
C:\pos27A9.tmp
C:\pos27AA.tmp
C:\pos27AB.tmp
C:\pos27AC.tmp
C:\pos27AD.tmp
C:\pos27AE.tmp
C:\pos27AF.tmp
C:\pos27B0.tmp
C:\pos27B1.tmp
C:\pos27B2.tmp
C:\pos27B3.tmp
C:\pos27B4.tmp
C:\pos27B5.tmp
C:\pos27B6.tmp
C:\pos27B7.tmp
C:\pos27B8.tmp
C:\pos27B9.tmp
C:\pos27BA.tmp
C:\pos27BB.tmp
C:\pos27BC.tmp
C:\pos27BD.tmp
C:\pos27BE.tmp
C:\pos27BF.tmp
C:\pos27C0.tmp
C:\pos27C1.tmp
C:\pos27C2.tmp
C:\pos27C3.tmp
C:\pos27C4.tmp
C:\pos27C5.tmp
C:\pos27C6.tmp
C:\pos27C7.tmp
C:\pos27C8.tmp
C:\pos27C9.tmp
C:\pos27CA.tmp
C:\pos27CB.tmp
C:\pos27CC.tmp
C:\pos27CD.tmp
C:\pos27CE.tmp
C:\pos27CF.tmp
C:\pos27D0.tmp
C:\pos27D1.tmp
C:\pos27D2.tmp
C:\pos27D3.tmp
C:\pos27D4.tmp
C:\pos27D5.tmp
C:\pos27D6.tmp
C:\pos27D7.tmp
C:\pos27D8.tmp
C:\pos27D9.tmp
C:\pos27DA.tmp
C:\pos27DB.tmp
C:\pos27DC.tmp
C:\pos27DD.tmp
C:\pos27DE.tmp
C:\pos27DF.tmp
C:\pos27E0.tmp
C:\pos27E1.tmp
C:\pos27E2.tmp
C:\pos27E3.tmp
C:\pos27E4.tmp
C:\pos27E5.tmp
C:\pos27E6.tmp
C:\pos27E7.tmp
C:\pos27E8.tmp
C:\pos27E9.tmp
C:\pos27EA.tmp
C:\pos27EB.tmp
C:\pos27EC.tmp
C:\pos27ED.tmp
C:\pos27EE.tmp
C:\pos27EF.tmp
C:\pos27F0.tmp
C:\pos27F1.tmp
C:\pos27F2.tmp
C:\pos27F3.tmp
C:\pos27F4.tmp
C:\pos27F5.tmp
C:\pos27F6.tmp
C:\pos27F7.tmp
C:\pos27F8.tmp
C:\pos27F9.tmp
C:\pos27FA.tmp
C:\pos27FB.tmp
C:\pos27FC.tmp
C:\pos27FD.tmp
C:\pos27FE.tmp
C:\pos27FF.tmp
C:\pos2800.tmp
C:\pos2801.tmp
C:\pos2802.tmp
C:\pos2803.tmp
C:\pos2804.tmp
C:\pos2805.tmp
C:\pos2806.tmp
C:\pos2807.tmp
C:\pos2808.tmp
C:\pos2809.tmp
C:\pos280A.tmp
C:\pos280B.tmp
C:\pos280C.tmp
C:\pos280D.tmp
C:\pos280E.tmp
C:\pos280F.tmp
C:\pos2810.tmp
C:\pos2811.tmp
C:\pos2812.tmp
C:\pos2813.tmp
C:\pos2814.tmp
C:\pos2815.tmp
C:\pos2816.tmp
C:\pos2817.tmp
C:\pos2818.tmp
C:\pos2819.tmp
C:\pos281A.tmp
C:\pos281B.tmp
C:\pos281C.tmp
C:\pos281D.tmp
C:\pos281E.tmp
C:\pos281F.tmp
C:\pos2820.tmp
C:\pos2821.tmp
C:\pos2822.tmp
C:\pos2823.tmp
C:\pos2824.tmp
C:\pos2825.tmp
C:\pos2826.tmp
C:\pos2827.tmp
C:\pos2828.tmp
C:\pos2829.tmp
C:\pos282A.tmp
C:\pos282B.tmp
C:\pos282C.tmp
C:\pos282D.tmp
C:\pos282E.tmp
C:\pos282F.tmp
C:\pos2830.tmp
C:\pos2831.tmp
C:\pos2832.tmp
C:\pos2833.tmp
C:\pos2834.tmp
C:\pos2835.tmp
C:\pos2836.tmp
C:\pos2837.tmp
C:\pos2838.tmp
C:\pos2839.tmp
C:\pos283A.tmp
C:\pos283B.tmp
C:\pos283C.tmp
C:\pos283D.tmp
C:\pos283E.tmp
C:\pos283F.tmp
C:\pos2840.tmp
C:\pos2841.tmp
C:\pos2842.tmp
C:\pos2843.tmp
C:\pos2844.tmp
C:\pos2845.tmp
C:\pos2846.tmp
C:\pos2847.tmp
C:\pos2848.tmp
C:\pos2849.tmp
C:\pos284A.tmp
C:\pos284B.tmp
C:\pos284C.tmp
C:\pos284D.tmp
C:\pos284E.tmp
C:\pos284F.tmp
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\QdrDrive9.dll
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\QdrPack11 .exe
C:\Program Files\QdrPack\trgts.gz
C:\temp\tn3
C:\WINDOWS\mantec~1
C:\WINDOWS\SYSTEM32\ahtcqbpa.ini
C:\WINDOWS\system32\apbqctha.dll
C:\WINDOWS\system32\b1
C:\WINDOWS\system32\bkcrtwnz.dll
C:\WINDOWS\system32\bkcrtwnz.dllbox
C:\WINDOWS\system32\bxyprgvp.dll
C:\WINDOWS\system32\ckuswcwf.dll
C:\WINDOWS\SYSTEM32\dccdd.ini
C:\WINDOWS\SYSTEM32\dccdd.ini2
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\ddccd.exe
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\dsfianvp.exe
C:\WINDOWS\SYSTEM32\eqqemsrf.ini
C:\WINDOWS\SYSTEM32\eumjrocx.ini
C:\WINDOWS\SYSTEM32\fwcwsukc.ini
C:\WINDOWS\system32\hbkltyfy.dll
C:\WINDOWS\SYSTEM32\hlvhmbji.ini
C:\WINDOWS\SYSTEM32\kgpgiixx.ini
C:\WINDOWS\SYSTEM32\mancmrwp.ini
C:\WINDOWS\SYSTEM32\mauglbbj.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\vvnotmnt.exe
C:\WINDOWS\system32\wgwldktx.dll
C:\WINDOWS\system32\windows
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\SYSTEM32\ychvwtsi.ini
C:\WINDOWS\system32\ymhjdxgx.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-28 )))))))))))))))))))))))))))))))
.

2008-01-28 10:40 . 2008-01-28 10:40 14,033 --a------ C:\pos28CB.tmp
2008-01-27 15:25 . 2008-01-27 15:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-26 19:12 . 2008-01-26 19:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-26 19:09 . 2008-01-26 19:09 <DIR> d-------- C:\KAV
2008-01-26 18:57 . 2008-01-26 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 09:19 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-22 09:15 . 2008-01-22 10:56 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\HouseCall 6.6
2008-01-22 09:08 . 2008-01-22 09:13 <DIR> d-------- C:\Documents and Settings\Robin Cady\.housecall6.6
2008-01-19 22:20 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-19 22:19 . 2008-01-19 22:19 <DIR> d-------- C:\Program Files\Real
2008-01-19 22:19 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-19 12:54 . 2008-01-19 12:54 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-01-19 12:08 . 2008-01-19 12:08 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\Uniblue
2008-01-18 21:44 . 2008-01-20 17:52 <DIR> d-------- C:\Program Files\Remove-it
2008-01-18 19:08 . 2008-01-18 19:12 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\PrevxCSI
2008-01-18 19:08 . 2008-01-18 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-17 09:12 . 2008-01-17 09:12 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 03:06 . 2008-01-17 03:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-16 21:46 . 2008-01-16 21:46 163,904 --a------ C:\WINDOWS\SYSTEM32\ymhjdxgx.dll.vir
2008-01-16 05:05 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-16 05:05 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Program Files\Avira
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-15 17:06 . 2004-08-03 23:56 185,856 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\framedyn.dll
2008-01-15 09:57 . 2008-01-19 12:13 <DIR> d-------- C:\VundoFix Backups
2008-01-14 14:37 . 2008-01-14 19:40 2,112,131 --ahs---- C:\WINDOWS\SYSTEM32\lheyudco.ini
2008-01-10 20:15 . 2008-01-10 20:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-01-08 14:22 . 2000-01-03 11:05 131,072 --a------ C:\WINDOWS\SYSTEM32\DZIP32.dll
2008-01-08 13:58 . 2008-01-19 16:09 8,678 --a------ C:\WINDOWS\hh.dat
2008-01-08 13:54 . 2008-01-08 13:54 <DIR> d-------- C:\Program Files\Virtual Studio Systems
2007-12-30 11:16 . 2008-01-11 09:05 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-29 11:18 . 2008-01-19 16:20 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\McAfee
2007-12-28 11:31 . 2007-12-28 11:31 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\Ace
2007-12-28 11:29 . 2006-11-29 13:06 3,426,072 --a------ C:\WINDOWS\SYSTEM32\d3dx9_32.dll
2007-12-28 11:29 . 2007-04-04 18:53 81,768 --a------ C:\WINDOWS\SYSTEM32\xinput1_3.dll
2007-12-28 11:28 . 2006-09-28 16:05 2,414,360 --a------ C:\WINDOWS\SYSTEM32\d3dx9_31.dll
2007-12-28 11:20 . 2007-12-28 11:20 <DIR> d-------- C:\Program Files\THQ

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-28 18:52 --------- d-----w C:\Program Files\iTunes
2008-01-26 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-18 17:11 --------- d-----w C:\Program Files\McAfee
2008-01-18 01:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Audacity
2008-01-11 04:37 --------- d-----w C:\Program Files\Easy Songwriter
2008-01-11 04:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 22:16 --------- d-----w C:\Program Files\QuickTime
2008-01-02 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 03:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Image Zone Express
2007-12-28 19:13 90,112 ----a-w C:\WINDOWS\UpdReg .EXE
2007-12-28 05:20 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-28 05:12 --------- d-----w C:\Program Files\McAfee.com
2007-12-27 23:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 02:21 724,984 ----a-w C:\Documents and Settings\Isabella Cady\gotomypc_437.exe
2007-09-25 00:53 724,984 ----a-w C:\Documents and Settings\Robin Cady\gotomypc_437.exe
.

<pre>
----a-w 63,712 2007-12-28 19:13:20 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 39,792 2007-12-28 19:13:23 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 249,896 2008-01-27 03:31:47 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\WINDOWS\SYSTEM32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E9C47B8-A8C4-478A-9EA2-73203B9BC50B}]
C:\WINDOWS\system32\ddccd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e44ddc3-4262-4097-b2c1-9915038a0ea2}]
C:\WINDOWS\system32\bxyprgvp.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winshow"="C:\WINDOWS\winshow .exe" [ ]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [ ]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [ ]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [ ]
"b8cf5291"="C:\WINDOWS\system32\ckuswcwf.dll" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [ ]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]
"combofix"="C:\ComboFix\kmd.exe" [2004-08-03 23:56 388608]

C:\Documents and Settings\Robin Cady\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2005-04-02 06:08:48 372224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-30 19:22:22 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"= 0 (0x0)
"DisableTaskMgr"= 0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"SFCDisable"=dword:00000004
"System"=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bkcrtwnz]
bkcrtwnz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfddef]
khfddef.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddccd


.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 15:17:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 10:10:08 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 09:00:56 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-28 11:02:44
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
.
**************************************************************************
.
Completion time: 2008-01-28 11:07:41 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-28 19:07:32
.
2008-01-17 11:10:05 --- E O F ---

Shaba
2008-01-29, 11:13
Hi

Open notepad and copy/paste the text in the quotebox below into it:


RenV::
----a-w 63,712 2007-12-28 19:13:20 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 39,792 2007-12-28 19:13:23 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 249,896 2008-01-27 03:31:47 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\WINDOWS\SYSTEM32\NeroCheck .exe

File::
C:\pos28CB.tmp
C:\WINDOWS\SYSTEM32\ymhjdxgx.dll.vir
C:\WINDOWS\SYSTEM32\lheyudco.ini

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bkcrtwnz]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfddef]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E9C47B8-A8C4-478A-9EA2-73203B9BC50B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e44ddc3-4262-4097-b2c1-9915038a0ea2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winshow"=-
"b8cf5291"=-
"combofix"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

gomer pyle
2008-01-29, 22:09
Thanks for the last message.
I did as you said and then ran the new scans.

Here is the hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:05:04 PM, on 1/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - S-1-5-21-4219811858-3455423638-1855872279-1008 Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe (User '?')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin Cady\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200448995890
O20 - Winlogon Notify: khfddef - khfddef.dll (file missing)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9670 bytes

gomer pyle
2008-01-29, 22:12
Here is the Combofix Log:



ComboFix 08-01-28.2 - Robin Cady 2008-01-29 10:55:38.2 - NTFSx86

Running from: C:\Documents and Settings\Robin Cady\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2007-12-28 to 2008-01-29 )))))))))))))))))))))))))))))))
.

2008-01-27 15:25 . 2008-01-27 15:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-26 19:12 . 2008-01-26 19:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-26 19:09 . 2008-01-26 19:09 <DIR> d-------- C:\KAV
2008-01-26 18:57 . 2008-01-26 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 09:19 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-22 09:15 . 2008-01-22 10:56 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\HouseCall 6.6
2008-01-22 09:08 . 2008-01-22 09:13 <DIR> d-------- C:\Documents and Settings\Robin Cady\.housecall6.6
2008-01-19 22:20 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-19 22:19 . 2008-01-19 22:19 <DIR> d-------- C:\Program Files\Real
2008-01-19 22:19 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-19 12:54 . 2008-01-19 12:54 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-01-19 12:08 . 2008-01-19 12:08 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\Uniblue
2008-01-18 21:44 . 2008-01-20 17:52 <DIR> d-------- C:\Program Files\Remove-it
2008-01-18 19:08 . 2008-01-18 19:12 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\PrevxCSI
2008-01-18 19:08 . 2008-01-18 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-17 09:12 . 2008-01-17 09:12 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 03:06 . 2008-01-17 03:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-16 21:46 . 2008-01-16 21:46 163,904 --a------ C:\WINDOWS\SYSTEM32\ymhjdxgx.dll.vir
2008-01-16 05:05 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-16 05:05 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Program Files\Avira
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-15 17:06 . 2004-08-03 23:56 185,856 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\framedyn.dll
2008-01-15 09:57 . 2008-01-19 12:13 <DIR> d-------- C:\VundoFix Backups
2008-01-14 14:37 . 2008-01-14 19:40 2,112,131 --ahs---- C:\WINDOWS\SYSTEM32\lheyudco.ini
2008-01-10 20:15 . 2008-01-10 20:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-01-08 14:22 . 2000-01-03 11:05 131,072 --a------ C:\WINDOWS\SYSTEM32\DZIP32.dll
2008-01-08 13:58 . 2008-01-19 16:09 8,678 --a------ C:\WINDOWS\hh.dat
2008-01-08 13:54 . 2008-01-08 13:54 <DIR> d-------- C:\Program Files\Virtual Studio Systems
2007-12-30 11:16 . 2008-01-11 09:05 <DIR> d-------- C:\Program Files\RcvSystem
2007-12-29 11:18 . 2008-01-19 16:20 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\McAfee

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 01:56 --------- d-----w C:\Program Files\iTunes
2008-01-26 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 04:22 158,208 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
2008-01-22 04:08 508,928 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-20 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-18 17:11 --------- d-----w C:\Program Files\McAfee
2008-01-18 01:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Audacity
2008-01-11 04:37 --------- d-----w C:\Program Files\Easy Songwriter
2008-01-11 04:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 22:16 --------- d-----w C:\Program Files\QuickTime
2008-01-02 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 03:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Image Zone Express
2007-12-28 19:31 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Ace
2007-12-28 19:20 --------- d-----w C:\Program Files\THQ
2007-12-28 19:13 90,112 ----a-w C:\WINDOWS\UpdReg .EXE
2007-12-28 05:20 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-28 05:12 --------- d-----w C:\Program Files\McAfee.com
2007-12-27 23:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 02:21 724,984 ----a-w C:\Documents and Settings\Isabella Cady\gotomypc_437.exe
2007-09-25 00:53 724,984 ----a-w C:\Documents and Settings\Robin Cady\gotomypc_437.exe
.

<pre>
----a-w 63,712 2007-12-28 19:13:20 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 39,792 2007-12-28 19:13:23 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 249,896 2008-01-27 03:31:47 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\WINDOWS\SYSTEM32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [ ]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 20:14 271672]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-28 19:27 249896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]

C:\Documents and Settings\Robin Cady\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2005-04-02 06:08:48 372224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-30 19:22:22 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=" "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfddef]
khfddef.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddccd


.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 15:17:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 10:10:08 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 09:00:56 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-29 11:08:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-01-29 11:14:45 - machine was rebooted [Robin Cady]
ComboFix-quarantined-files.txt 2008-01-29 19:14:34
ComboFix2.txt 2008-01-28 19:07:42
.
2008-01-17 11:10:05 --- E O F ---

Shaba
2008-01-30, 12:18
Hi

You didn't seem to follow my instructions.

You are supposed to create a file named CFScript and drag and drop it into ComboFix.exe and not just doubleclick ComboFix.exe in order to run it.

Please try again and ask if something isn't clear before that :)

gomer pyle
2008-01-30, 20:45
Hi Shaba,
I dragged the file to combofix and it started like it was working and then just quit itself.
So the last post was posted differently than your instructions because I did'nt recieve a log by doing it by just dragging the txt file into the exe file.
Did I do something wrong?
I tried it again and still the same results.
The program acts like it is working and a few command prompt screens pop up but then dissapear with no results.

Thanks and I look forward to more instruction.

Shaba
2008-01-30, 20:50
Hi

Ensure that CFScript is in Desktop.

Go to start and run

Type this and click ok:

"%Userprofile%\Desktop\Combofix /CFScript.txt"

And let me know how it went :)

gomer pyle
2008-01-31, 07:47
Ok. CFScript is in desktop.
I opened start - run and typed in what you said to do.

It gives me this message:


Windows cannot fin 'C:\documents and settings\robin cady\desktop\Combofix/CFScript.txt'. Make sure you typed the name correctly, and then try again. To search for a file, click the Start button and then click Search

I did a search and did confirm that the both of the files do exist at C:\documents and settings\robin cady\desktop

So I don't know what else to do.


Standing by ------ Thanks

Shaba
2008-01-31, 12:29
Hi

Then we remove things using different tools:

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bkcrtwnz]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khfddef]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0E9C47B8-A8C4-478A-9EA2-73203B9BC50B}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e44ddc3-4262-4097-b2c1-9915038a0ea2}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"winshow"=-
"b8cf5291"=-
"combofix"=-

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Reboot.

Please download the OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe).

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\pos28CB.tmp
C:\WINDOWS\SYSTEM32\ymhjdxgx.dll.vir
C:\WINDOWS\SYSTEM32\lheyudco.ini


Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Download and save to RenV.exe from following link to Desktop:

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Open NOTEPAD and copy/paste the text in the quotebox below into it:


----a-w 63,712 2007-12-28 19:13:20 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 39,792 2007-12-28 19:13:23 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 249,896 2008-01-27 03:31:47 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\WINDOWS\SYSTEM32\NeroCheck .exe


Save this as Log.txt to Desktop.

http://img.photobucket.com/albums/v666/sUBs/RenV.gif

Refering to the picture above, drag Log.txt into RenV.exe

When finished, it shall produce a new log for you. Post that log in your next reply.

Re-run combofix.

Post:

- a fresh HijackThis log
- RenV log
- combofix report
- otmoveit2 log

gomer pyle
2008-02-01, 03:35
Ok thanks here are the results.
My computer is starting to behave itself.
Seems like whatever is happening is working.
I am very happy with the results so far.
Thanks Shaba!

Otmoveit log file.

File/Folder C:\pos28CB.tmp not found.
File move failed. C:\WINDOWS\SYSTEM32\ymhjdxgx.dll.vir scheduled to be moved on reboot.

08-01-27 03:31:47 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\WINDOWS\SYSTEM32\NeroCheck .exe

Entries: 22 (22)
Directories: 0 Files: 22
Bytes: 6,693,672 Blocks: 13,079
[/code]


HiJackThis log



Ran on Thu 01/31/2008 - 16:22:37.79

----a-w 63,712 2007-12-28 19:13:20 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 39,792 2007-12-28 19:13:23 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 249,896 2008-01-27 03:31:47 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\WINDOWS\SYSTEM32\NeroCheck .exe

Entries: 22 (22)
Directories: 0 Files: 22
Bytes: 6,693,672 Blocks: 13,079



COMBOFIX LOG


ComboFix 08-01-28.2 - Robin Cady 2008-01-31 16:29:07.3 - NTFSx86

Running from: C:\Documents and Settings\Robin Cady\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-27 15:25 . 2008-01-27 15:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-26 19:12 . 2008-01-26 19:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-26 19:09 . 2008-01-26 19:09 <DIR> d-------- C:\KAV
2008-01-26 18:57 . 2008-01-26 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 09:19 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-22 09:15 . 2008-01-22 10:56 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\HouseCall 6.6
2008-01-22 09:08 . 2008-01-22 09:13 <DIR> d-------- C:\Documents and Settings\Robin Cady\.housecall6.6
2008-01-19 22:20 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-19 22:19 . 2008-01-19 22:19 <DIR> d-------- C:\Program Files\Real
2008-01-19 22:19 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-19 12:54 . 2008-01-19 12:54 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-01-19 12:08 . 2008-01-19 12:08 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\Uniblue
2008-01-18 21:44 . 2008-01-20 17:52 <DIR> d-------- C:\Program Files\Remove-it
2008-01-18 19:08 . 2008-01-18 19:12 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\PrevxCSI
2008-01-18 19:08 . 2008-01-18 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-17 09:12 . 2008-01-17 09:12 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 03:06 . 2008-01-17 03:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-16 05:05 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-16 05:05 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Program Files\Avira
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-15 17:06 . 2004-08-03 23:56 185,856 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\framedyn.dll
2008-01-15 09:57 . 2008-01-19 12:13 <DIR> d-------- C:\VundoFix Backups
2008-01-10 20:15 . 2008-01-10 20:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-01-08 14:22 . 2000-01-03 11:05 131,072 --a------ C:\WINDOWS\SYSTEM32\DZIP32.dll
2008-01-08 13:58 . 2008-01-19 16:09 8,678 --a------ C:\WINDOWS\hh.dat
2008-01-08 13:54 . 2008-01-08 13:54 <DIR> d-------- C:\Program Files\Virtual Studio Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 01:56 --------- d-----w C:\Program Files\iTunes
2008-01-26 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-20 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-20 00:20 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\McAfee
2008-01-18 17:11 --------- d-----w C:\Program Files\McAfee
2008-01-18 01:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Audacity
2008-01-11 17:05 --------- d-----w C:\Program Files\RcvSystem
2008-01-11 04:37 --------- d-----w C:\Program Files\Easy Songwriter
2008-01-11 04:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-08 22:16 --------- d-----w C:\Program Files\QuickTime
2008-01-02 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 03:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Image Zone Express
2007-12-28 19:31 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Ace
2007-12-28 19:20 --------- d-----w C:\Program Files\THQ
2007-12-28 19:13 90,112 ----a-w C:\WINDOWS\UpdReg .EXE
2007-12-28 05:20 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-28 05:12 --------- d-----w C:\Program Files\McAfee.com
2007-12-27 23:56 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-29 02:21 724,984 ----a-w C:\Documents and Settings\Isabella Cady\gotomypc_437.exe
2007-09-25 00:53 724,984 ----a-w C:\Documents and Settings\Robin Cady\gotomypc_437.exe
.

<pre>
----a-w 63,712 2007-12-28 19:13:20 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 39,792 2007-12-28 19:13:23 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 249,896 2008-01-27 03:31:47 C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\WINDOWS\SYSTEM32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [ ]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 20:14 271672]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-28 19:27 249896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]

C:\Documents and Settings\Robin Cady\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2005-04-02 06:08:48 372224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-30 19:22:22 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=" "


.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 15:17:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 10:10:08 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-01-01 09:00:56 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-31 16:34:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-31 16:37:58
ComboFix-quarantined-files.txt 2008-02-01 00:37:48
ComboFix2.txt 2008-01-29 19:14:45
ComboFix3.txt 2008-01-28 19:07:42
.
2008-01-17 11:10:05 --- E O F ---

gomer pyle
2008-02-01, 03:39
I don't think the entirety posted in my last post.
Here it is.

File/Folder C:\pos28CB.tmp not found.
File move failed. C:\WINDOWS\SYSTEM32\ymhjdxgx.dll.vir scheduled to be moved on reboot.
C:\WINDOWS\SYSTEM32\lheyudco.ini moved successfully.

OTMoveIt2 v1.0.17 log created on 01312008_160202

Shaba
2008-02-01, 12:13
Hi

Please post also a fresh HijackThis log :)

gomer pyle
2008-02-01, 18:57
Here is a fresh log.
Thanks



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:56:10 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
c:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - S-1-5-21-4219811858-3455423638-1855872279-1008 Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe (User '?')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin Cady\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200448995890
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9662 bytes

Shaba
2008-02-01, 19:12
Hi

As RenV didn't work, we need to delete certain startup programs and you will need to re-install; unfortunately we can do nothing about that.


Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\support.com\bin\tgcmd .exe
C:\WINDOWS\UpdReg .EXE
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINDOWS\SYSTEM32\hkcmd .exe
C:\WINDOWS\SYSTEM32\igfxtray .exe
C:\WINDOWS\SYSTEM32\NeroCheck .exe


Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

Re-run combofix.

Post:

- a fresh HijackThis log
- combofix report
- otmoveit2 log

gomer pyle
2008-02-01, 22:38
Here's the latest.

Thanks a million


OTMoveIt Log


C:\Program Files\Common Files\Symantec Shared\ccApp .exe moved successfully.
C:\Program Files\Creative\SBLive\Diagnostics\diagent .exe moved successfully.
C:\Program Files\CyberLink\PowerDVD\DVDLauncher .exe moved successfully.
C:\Program Files\HP\HP Software Update\HPWuSchd2 .exe moved successfully.
C:\Program Files\iTunes\iTunesHelper .exe moved successfully.
C:\Program Files\Messenger\msmsgs .exe moved successfully.
C:\Program Files\QuickTime\qttask .exe moved successfully.
C:\Program Files\QuickTime\qttask .exe moved successfully.
C:\Program Files\QuickTime\qttask .exe moved successfully.
C:\Program Files\QuickTime\qttask .exe moved successfully.
C:\Program Files\support.com\bin\tgcmd .exe moved successfully.
C:\WINDOWS\UpdReg .EXE moved successfully.
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe moved successfully.
C:\WINDOWS\SYSTEM32\hkcmd .exe moved successfully.
C:\WINDOWS\SYSTEM32\igfxtray .exe moved successfully.
C:\WINDOWS\SYSTEM32\NeroCheck .exe moved successfully.

OTMoveIt2 v1.0.17 log created on 02012008_120817


COMBOFIX LOG

ComboFix 08-01-28.2 - Robin Cady 2008-02-01 12:22:01.4 - NTFSx86

Running from: C:\Documents and Settings\Robin Cady\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-01-27 15:25 . 2008-01-27 15:25 <DIR> d-------- C:\WINDOWS\SYSTEM32\LogFiles
2008-01-26 19:12 . 2008-01-26 19:12 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-26 19:09 . 2008-01-26 19:09 <DIR> d-------- C:\KAV
2008-01-26 18:57 . 2008-01-26 18:57 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-22 09:19 . 2007-08-01 16:47 102,664 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2008-01-22 09:15 . 2008-01-22 10:56 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\HouseCall 6.6
2008-01-22 09:08 . 2008-01-22 09:13 <DIR> d-------- C:\Documents and Settings\Robin Cady\.housecall6.6
2008-01-19 22:20 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\xing shared
2008-01-19 22:19 . 2008-01-19 22:19 <DIR> d-------- C:\Program Files\Real
2008-01-19 22:19 . 2008-01-19 22:20 <DIR> d-------- C:\Program Files\Common Files\Real
2008-01-19 12:54 . 2008-01-19 12:54 24,576 --a------ C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2008-01-19 12:08 . 2008-01-19 12:08 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\Uniblue
2008-01-18 21:44 . 2008-01-20 17:52 <DIR> d-------- C:\Program Files\Remove-it
2008-01-18 19:08 . 2008-01-18 19:12 <DIR> d-------- C:\Documents and Settings\Robin Cady\Application Data\PrevxCSI
2008-01-18 19:08 . 2008-01-18 19:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Prevx
2008-01-17 09:12 . 2008-01-17 09:12 <DIR> d-------- C:\Program Files\CCleaner
2008-01-17 03:06 . 2008-01-17 03:06 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-16 05:05 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-01-16 05:05 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Program Files\Avira
2008-01-15 18:24 . 2008-01-15 18:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-01-15 17:06 . 2004-08-03 23:56 185,856 --a------ C:\WINDOWS\SYSTEM32\DLLCACHE\framedyn.dll
2008-01-15 09:57 . 2008-01-19 12:13 <DIR> d-------- C:\VundoFix Backups
2008-01-10 20:15 . 2008-01-10 20:15 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\McAfee
2008-01-08 14:22 . 2000-01-03 11:05 131,072 --a------ C:\WINDOWS\SYSTEM32\DZIP32.dll
2008-01-08 13:58 . 2008-01-19 16:09 8,678 --a------ C:\WINDOWS\hh.dat
2008-01-08 13:54 . 2008-01-08 13:54 <DIR> d-------- C:\Program Files\Virtual Studio Systems

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-01 20:08 --------- d-----w C:\Program Files\QuickTime
2008-02-01 20:08 --------- d-----w C:\Program Files\iTunes
2008-02-01 20:08 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-26 02:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-22 04:08 508,928 ----a-w C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe
2008-01-20 00:21 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-20 00:20 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\McAfee
2008-01-18 17:11 --------- d-----w C:\Program Files\McAfee
2008-01-18 01:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Audacity
2008-01-11 17:05 --------- d-----w C:\Program Files\RcvSystem
2008-01-11 04:37 --------- d-----w C:\Program Files\Easy Songwriter
2008-01-11 04:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-02 02:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-12-29 03:12 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Image Zone Express
2007-12-28 19:31 --------- d-----w C:\Documents and Settings\Robin Cady\Application Data\Ace
2007-12-28 19:20 --------- d-----w C:\Program Files\THQ
2007-12-28 05:20 --------- d-----w C:\Program Files\Common Files\McAfee
2007-12-28 05:12 --------- d-----w C:\Program Files\McAfee.com
2007-12-27 23:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-11-14 07:26 450,560 ----a-w C:\WINDOWS\SYSTEM32\DLLCACHE\jscript.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\SYSTEM32\lsasrv.dll
2007-11-07 09:26 721,920 ------w C:\WINDOWS\SYSTEM32\DLLCACHE\lsasrv.dll
2007-09-29 02:21 724,984 ----a-w C:\Documents and Settings\Isabella Cady\gotomypc_437.exe
2007-09-25 00:53 724,984 ----a-w C:\Documents and Settings\Robin Cady\gotomypc_437.exe
.

<pre>
----a-w 39,792 2007-12-28 19:13:23 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe
----a-w 63,712 2007-12-28 19:13:20 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy .exe
----a-w 249,896 2008-01-27 03:31:47 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt .exe
----a-w 153,136 2007-12-28 19:13:35 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 152,872 2007-12-28 19:13:51 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w 185,632 2007-12-28 19:13:40 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w 70,816 2007-12-27 23:07:38 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w 135,264 2007-12-28 19:14:31 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Creative\SBLive\Diagnostics\diagent .exe
----a-w 53,248 2007-12-28 19:13:06 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\CyberLink\PowerDVD\DVDLauncher .exe
----a-w 49,152 2007-12-28 19:13:13 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\HP\HP Software Update\HPWuSchd2 .exe
----a-w 271,672 2008-01-27 03:31:42 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\iTunes\iTunesHelper .exe
----a-w 1,694,208 2007-12-28 19:13:51 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\Messenger\msmsgs .exe
----a-w 282,624 2008-01-11 12:47:04 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:05 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\QuickTime\qttask .exe
----a-w 282,624 2008-01-11 12:47:06 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\QuickTime\qttask .exe
----a-w 1,773,568 2007-12-29 08:20:13 C:\_OTMoveIt\MovedFiles\02012008_120817\Program Files\support.com\bin\tgcmd .exe
----a-w 90,112 2007-12-28 19:13:12 C:\_OTMoveIt\MovedFiles\02012008_120817\WINDOWS\UpdReg .EXE
----a-w 158,208 2008-01-22 04:22:06 C:\_OTMoveIt\MovedFiles\02012008_120817\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w 114,688 2007-12-28 19:13:07 C:\_OTMoveIt\MovedFiles\02012008_120817\WINDOWS\SYSTEM32\hkcmd .exe
----a-w 155,648 2007-12-28 19:13:07 C:\_OTMoveIt\MovedFiles\02012008_120817\WINDOWS\SYSTEM32\igfxtray .exe
----a-w 151,552 2007-12-28 19:13:17 C:\_OTMoveIt\MovedFiles\02012008_120817\WINDOWS\SYSTEM32\NeroCheck .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Uniblue RegistryBooster 2"="C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe" [ ]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [ ]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [ ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [ ]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask .exe" [ ]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [ ]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [ ]
"MBkLogOnHook"="C:\Program Files\McAfee\MBK\LogOnHook.exe" [ ]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 20:14 271672]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [ ]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [ ]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [ ]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [ ]
"diagent"="C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-01-28 19:27 249896]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [ ]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [ ]

C:\Documents and Settings\Robin Cady\Start Menu\Programs\Startup\
TrueAssistant.lnk - C:\Program Files\TrueAssistant\TrueAssistant.exe [2005-04-02 06:08:48 372224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-30 19:22:22 113664]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2004-11-04 18:28:24 258048]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize"= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System"=" "


.
Contents of the 'Scheduled Tasks' folder
"2008-01-26 15:17:09 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-01-15 10:10:08 C:\WINDOWS\Tasks\McDefragTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe'
"2008-02-01 09:00:27 C:\WINDOWS\Tasks\McQcTask.job"
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 12:28:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-01 12:32:33
ComboFix-quarantined-files.txt 2008-02-01 20:32:24
ComboFix2.txt 2008-02-01 00:37:59
ComboFix3.txt 2008-01-29 19:14:45
ComboFix4.txt 2008-01-28 19:07:42
.
2008-01-17 11:10:05 --- E O F ---

gomer pyle
2008-02-01, 22:39
Here's the HIJACK LOG

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:34 PM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\SYSTEM32\FREECELL.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - S-1-5-21-4219811858-3455423638-1855872279-1008 Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe (User '?')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin Cady\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200448995890
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9688 bytes

Shaba
2008-02-02, 11:57
Hi

One typo, my bad.


Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):



C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe


Return to OTMoveIt2, right click in the "Paste Standard List of Files/Folders to Move" window (under the light blue bar) and choose Paste.

Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

gomer pyle
2008-02-02, 20:33
Hey Shaba,
Here is the OTMOVEIT as per your instructions

What's next?



C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl .exe moved successfully.

OTMoveIt2 v1.0.17 log created on 02022008_103055

Shaba
2008-02-02, 20:36
Hi

If you want to keep McAfee and it's up-to-date, please uninstall AntiVir.

Open HijackThis, click do a system scan only and checkmark this:

O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe

Close all windows including browser and press fix checked.

Reboot.

Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Note: This scanner will work with Internet Explorer Only!

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the license, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

Post:

- a fresh HijackThis log
- kaspersky report

gomer pyle
2008-02-02, 21:55
Hi Shaba
I do want to get rid of Avira and keep Mcafee.

I removed the line as you directed.

As far as kapersky.
I can't seem to get IE to connect to the internet.
Therefore I can't use Kapersky.
What should I do now?
Thanks.

Shaba
2008-02-03, 12:15
Hi

Have you allowed IE from McAfee's firewall?

gomer pyle
2008-02-05, 00:49
You were right about Mcafee having locked IE.
I was able to run the Kapersky scan.
Here is the log.
Thanks a million

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, February 04, 2008 2:42:15 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 4/02/2008
Kaspersky Anti-Virus database records: 546598
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 146188
Number of viruses found: 24
Number of infected objects: 157
Number of suspicious objects: 2
Duration of the scan process: 05:15:09

Infected Object Name / Virus Name / Last Action
C:\!KillBox\ddccd.dll Object is locked skipped
C:\!KillBox\ddccd.dll( 1) Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\!KillBox\ddccd.dll( 2) Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D9B2A331-E0CB-4691-BE3B-03B9FF8D264B}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Isabella Cady\Desktop\PopularScreensaversSetup2.1.60.1.ZRfox000.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Isabella Cady\Desktop\PopularScreensaversSetup2.1.60.1.ZRfox000.exe CAB: infected - 1 skipped
C:\Documents and Settings\Isabella Cady\Local Settings\Temp\hsperfdata_Isabella Cady\3024 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin Cady\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\cert8.db Object is locked skipped
C:\Documents and Settings\Robin Cady\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\history.dat Object is locked skipped
C:\Documents and Settings\Robin Cady\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\key3.db Object is locked skipped
C:\Documents and Settings\Robin Cady\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\parent.lock Object is locked skipped
C:\Documents and Settings\Robin Cady\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\search.sqlite Object is locked skipped
C:\Documents and Settings\Robin Cady\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\urlclassifier2.sqlite Object is locked skipped
C:\Documents and Settings\Robin Cady\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\Cache\_CACHE_001_ Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\Cache\_CACHE_002_ Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\Cache\_CACHE_003_ Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Mozilla\Firefox\Profiles\tos3cori.default\Cache\_CACHE_MAP_ Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MSN Gaming Zone\profsy.html Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\Program Files\iTunes\iTunesHelper.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\apbqctha.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bkcrtwnz.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\bxyprgvp.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ckuswcwf.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ddccd.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\ddccd.exe.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\hbkltyfy.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\wgwldktx.dll.vir Object is locked skipped
C:\QooBox\Quarantine\C\WINDOWS\SYSTEM32\windows.vir Object is locked skipped
C:\QooBox\Quarantine\catchme2008-01-28_110149.18.zip/core.sys Infected: Rootkit.Win32.Agent.sg skipped
C:\QooBox\Quarantine\catchme2008-01-28_110149.18.zip/bkcrtwnz.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\QooBox\Quarantine\catchme2008-01-28_110149.18.zip/ddccd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dih skipped
C:\QooBox\Quarantine\catchme2008-01-28_110149.18.zip ZIP: infected - 3 skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP10\change.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001007.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001244.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\Temp\mcafee_LzxJ0EGlHIEaLt9 Object is locked skipped
C:\WINDOWS\Temp\mcafee_xc03L6pZflHaQO9 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_9jOQhSjsnk48OR6 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_hf6iVXKCDh1KPkX Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Prz8fXXCnqeMxab Object is locked skipped
C:\WINDOWS\Temp\mcmsc_tKddY6aAYigT4xU Object is locked skipped
C:\WINDOWS\Temp\mcmsc_xceEPLp7lys5wcc Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

gomer pyle
2008-02-05, 00:53
C:\_OTMoveIt\MovedFiles\01312008_160202\WINDOWS\SYSTEM32\ymhjdxgx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.dnn skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 7 Aug 2000 10:51:25 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 7 Aug 2000 10:51:25 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sun, 7 May 2000 01:59:32 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sun, 7 May 2000 01:59:32 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 15 May 2000 23:29:10 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 15 May 2000 23:29:10 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Tue, 20 Jun 2000 17:29:02 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Tue, 20 Jun 2000 17:29:02 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Tue, 20 Jun 2000 17:31:02 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Tue, 20 Jun 2000 17:31:02 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sat, 8 Jul 2000 11:17:29 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sat, 8 Jul 2000 11:17:29 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 10 Jul 2000 10:52:45 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 10 Jul 2000 10:52:45 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Thu, 27 Jul 2000 21:27:37 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Thu, 27 Jul 2000 21:27:37 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sun, 30 Jul 2000 09:04:54 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sun, 30 Jul 2000 09:04:54 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sun, 30 Jul 2000 13:46:52 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Sun, 30 Jul 2000 13:46:52 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 7 Aug 2000 10:45:26 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 7 Aug 2000 10:45:26 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Tue, 8 Aug 2000 11:06:18 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Tue, 8 Aug 2000 11:06:18 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 21 Aug 2000 16:27:06 -0700]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx/[From "robcady" <robcady@email.msn.com>][Date Mon, 21 Aug 2000 16:27:06 -0700]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\Sent Items.dbx Mail MS Outlook 5: infected - 26 skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From tom fiorelli <tomfiorelli@usa.net>][Date 2 Jun 00 18:53:05 MDT]/text/[From "Eric Ragland" <ebrfmn@prodigy.net>][Date Fri, 2 Jun 2000 21:30:49 -0400]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From tom fiorelli <tomfiorelli@usa.net>][Date 2 Jun 00 18:53:05 MDT]/text/[From "Eric Ragland" <ebrfmn@prodigy.net>][Date Fri, 2 Jun 2000 21:30:49 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From tom fiorelli <tomfiorelli@usa.net>][Date 2 Jun 00 18:53:05 MDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 Jun 2000 09:29:58 -0500]/text/[From John Knight <jknight@malasada.lava.net>][Date Fri, 02 Jun 2000 07:48: ... /[From "O'Neil" <dbotbird@worldpath.net>][Date Fri, 2 Jun 2000 18:28:10 -040 ... /html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 Jun 2000 09:29:58 -0500]/text/[From John Knight <jknight@malasada.lava.net>][Date Fri, 02 Jun 2000 07:48: ... /[From "O'Neil" <dbotbird@worldpath.net>][Date Fri, 2 Jun 2000 18:28:10 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 Jun 2000 09:29:58 -0500]/text/[From John Knight <jknight@malasada.lava.net>][Date Fri, 02 Jun 2000 07:48:02 -1000]/text/[From JBrown433@aol.com][Date Fri, 2 Jun 2000 15:29:25 EDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 Jun 2000 09:29:58 -0500]/text/[From John Knight <jknight@malasada.lava.net>][Date Fri, 02 Jun 2000 07:48:02 -1000]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 Jun 2000 09:29:58 -0500]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\t-bird digest.dbx Mail MS Outlook 5: infected - 11 skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\E-bay.dbx/[From aw-confirm@ebay.com][Date Sun, 30 Jan 2000 10:14:25 PST]/text Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\E-bay.dbx/[From "Cathy Maynard" <maynard@initco.net>][Date Tue, 2 May 2000 21:51:23 -0600]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\E-bay.dbx/[From "Cathy Maynard" <maynard@initco.net>][Date Tue, 2 May 2000 21:51:23 -0600]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Application Data\Identities\{3AC26FE0-5542-11D3-B4DA-C95C1877B120}\Microsoft\Outlook Express\E-bay.dbx Mail MS Outlook 5: infected - 3 skipped

gomer pyle
2008-02-05, 00:55
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/03 Feb 2000 23:54 from aw-confirm@ebay.com:eBay Outbid Notice - .eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/04 Feb 2000 20:38 from aw-confirm@ebay.com:eBay Outbid Notice - .eml Infected: Trojan-Spy.HTML.Bayfraud.ib skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml/[From PERCYBABY@aol.com][Date Tue, 18 Jul 2000 19:42:55 EDT]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:18:30 -0700 (PDT)]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:22:42 -0700 (PDT)]/text/[From TOPKEY@aol.com][Date Tue, 18 Jul 2000 20:54:17 EDT ... /[From "Bob & Elaine Bagshaw" <bagshaw@erols.com>][Date Tue, 18 Jul 2000 22:45:01 -040 ... /html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml/[From PERCYBABY@aol.com][Date Tue, 18 Jul 2000 19:42:55 EDT]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:18:30 -0700 (PDT)]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:22:42 -0700 (PDT)]/text/[From TOPKEY@aol.com][Date Tue, 18 Jul 2000 20:54:17 EDT ... /[From "Bob & Elaine Bagshaw" <bagshaw@erols.com>][Date Tue, 18 Jul 2000 22:45:01 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml/[From PERCYBABY@aol.com][Date Tue, 18 Jul 2000 19:42:55 EDT]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:18:30 -0700 (PDT)]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:22:42 -0700 (PDT)]/text/[From TOPKEY@aol.com][Date Tue, 18 Jul 2000 20:54:17 EDT]/text/[From "Gary E. Tayman" <gtayman@gate.net>][Date Tue, 18 Jul 2000 22:50:27 -0400]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml/[From PERCYBABY@aol.com][Date Tue, 18 Jul 2000 19:42:55 EDT]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:18:30 -0700 (PDT)]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:22:42 -0700 (PDT)]/text/[From TOPKEY@aol.com][Date Tue, 18 Jul 2000 20:54:17 EDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml/[From PERCYBABY@aol.com][Date Tue, 18 Jul 2000 19:42:55 EDT]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:18:30 -0700 (PDT)]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:22:42 -0700 (PDT)]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml/[From PERCYBABY@aol.com][Date Tue, 18 Jul 2000 19:42:55 EDT]/text/[From Rich Bailey <parussky@yahoo.com>][Date Tue, 18 Jul 2000 17:18:30 -0700 (PDT)]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml/[From PERCYBABY@aol.com][Date Tue, 18 Jul 2000 19:42:55 EDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/Inbox/19 Jul 2000 04:40 from flairbirds-errors@lists.best.com:Digest f.eml Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 16:36 from flairbirds-errors@lists.best.com:Digest f.eml/[From tom fiorelli <tomfiorelli@usa.net>][Date 2 Jun 00 18:53:05 MDT]/text/[From "Eric Ragland" <ebrfmn@prodigy.net>][Date Fri, 2 Jun 2000 21:30:49 -0400]/UNNAMED/html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 16:36 from flairbirds-errors@lists.best.com:Digest f.eml/[From tom fiorelli <tomfiorelli@usa.net>][Date 2 Jun 00 18:53:05 MDT]/text/[From "Eric Ragland" <ebrfmn@prodigy.net>][Date Fri, 2 Jun 2000 21:30:49 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 16:36 from flairbirds-errors@lists.best.com:Digest f.eml/[From tom fiorelli <tomfiorelli@usa.net>][Date 2 Jun 00 18:53:05 MDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 16:36 from flairbirds-errors@lists.best.com:Digest f.eml Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 J ... ... /[From "O'Neil" <dbotbird@worldpath.net>][Date Fri, 2 Jun 2000 18:28:10 -040 ... /html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 J ... ... /[From "O'Neil" <dbotbird@worldpath.net>][Date Fri, 2 Jun 2000 18:28:10 -0400]/UNNAMED Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 J ... /[From John Knight < ... /[From JBrown433@aol.com][Date Fri, 2 Jun 2000 15:29:25 EDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 J ... /[From John Knight <jknight@malasada.lava.net>][Date Fri, 02 Jun 2000 07:48:02 -1000]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text/[From "Lawrence R Zink" <zink@pdq.net>][Date Sat, 3 Jun 2000 09:29:58 -0500]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text/[From sbamford@pactiv.com][Date Fri, 2 Jun 2000 09:17:54 -0500]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text/[From "Leadholm, Tom" <Tom.Leadholm@med.va.gov>][Date Fri, 2 Jun 2000 07:34:11 -0500]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml/[From "Lamar Elrod" <lexplore@hotmail.com>][Date Fri, 02 Jun 2000 08:30:59 EDT]/text Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst/Personal Folders/t-bird digest/03 Jun 2000 01:18 from flairbirds-errors@lists.best.com:Digest f.eml Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\Personal Folders(1).pst Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/07 May 2000 08:59 to Cathy Maynard:Re: e-bay item #317431046.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/16 May 2000 06:29 to Teri Jones:Re: oil tank.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/21 Jun 2000 00:29 to Karley Sato:Yard work.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/21 Jun 2000 00:31 to karley7@hotmail.com:Fw: Yard work.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/08 Jul 2000 18:17 to C Morris:Tiki .html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/10 Jul 2000 17:52 to pinuppoll@aol.com:pic' of the litter July.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/28 Jul 2000 04:27 to karley7@hotmail.com:Yard Maintanence.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/30 Jul 2000 16:04 to 199988TWINCAM:Truck pics.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/30 Jul 2000 20:46 to Bob:truck pics.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/07 Aug 2000 17:45 to Lizkath@aol.com:reverberator shop tiips.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/07 Aug 2000 17:51 to flairbirds@lists.best.com:64 t-bird front s.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst/Archive Folders/Sent Items/08 Aug 2000 18:06 to Francine:upholsterer.html Infected: Email-Worm.VBS.KakWorm skipped
E:\WINDOWS\Local Settings\Application Data\Microsoft\Outlook\archive.pst Mail MS Mail: infected - 35 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0009/data0002 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0009 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0011/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0014 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0015 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0021/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0022/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0025/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0026/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0029/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0030/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0030 Infected: Trojan.Win32.Krepper.y skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0032/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0032/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe/data0032 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\Program Files\KaZaA\My Shared Folder\kmd15_en.exe Inno: infected - 28 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0008/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0008 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0012 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0018/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0018 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0019/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0019 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0022/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0023/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0023 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0026/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0027/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0027 Infected: Trojan.Win32.Krepper.y skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0029/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0029/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\Program Files\KaZaA\My Shared Folder\KazaaUpdate151.exe Inno: infected - 22 skipped
E:\Program Files\KaZaA\My Shared Folder\kmd171gu_en.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\kmd171gu_en.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\kmd171gu_en.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\Program Files\KaZaA\My Shared Folder\kmd171gu_en.exe Inno: infected - 3 skipped

gomer pyle
2008-02-05, 00:57
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip/wcmdmgrl.exe Suspicious: Password-protected-EXE skipped
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WildTangent4.zip ZIP: suspicious - 1 skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Temp\BDECache\bdeD.tmp/BDESac24.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Temp\BDECache\bdeD.tmp CAB: infected - 1 skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Temp\BDECache\bde8.tmp/bdeinsta25.dll Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Temp\BDECache\bde8.tmp CAB: infected - 1 skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx/[From contactintelligentx <contactintelligentx@flowgo.com>][Date Tue, 2 Apr 2002 12:50:22 -0500 (EST)]/UNNAMED/play.exe Infected: Email-Worm.Win32.Klez.e skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx/[From contactintelligentx <contactintelligentx@flowgo.com>][Date Tue, 2 Apr 2002 12:50:22 -0500 (EST)]/UNNAMED Infected: Email-Worm.Win32.Klez.e skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped

Scan process completed.

gomer pyle
2008-02-05, 00:59
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:45:06 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - S-1-5-21-4219811858-3455423638-1855872279-1008 Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe (User '?')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin Cady\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200448995890
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9787 bytes

Shaba
2008-02-05, 15:45
Hi

Nice that it worked out :)

Empty these folders:

C:\!KillBox\
C:\QooBox\Quarantine\
E:\Program Files\KaZaA\My Shared Folder\
E:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Temp\
C:\_OTMoveIt\MovedFiles\

Empty Recycle Bin.


Delete all bad mails in kaspersky log and empty Deleted items

Re-scan with kaspersky.

Post:

- a fresh HijackThis log
- kaspersky report

gomer pyle
2008-02-06, 03:37
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 05, 2008 5:34:57 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 5/02/2008
Kaspersky Anti-Virus database records: 550073
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 144336
Number of viruses found: 20
Number of infected objects: 71
Number of suspicious objects: 0
Duration of the scan process: 04:29:19

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\McAfee\MNA\NAData Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MPF\data\log.edb Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\Events.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\Logs\{D9B2A331-E0CB-4691-BE3B-03B9FF8D264B}.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\MSC\McUsers.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Data\TFR1.tmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\McAfee\VirusScan\Logs\OAS.Log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\Isabella Cady\Desktop\PopularScreensaversSetup2.1.60.1.ZRfox000.exe/mwsSetup.CommonCodebase.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.au skipped
C:\Documents and Settings\Isabella Cady\Desktop\PopularScreensaversSetup2.1.60.1.ZRfox000.exe CAB: infected - 1 skipped
C:\Documents and Settings\Isabella Cady\Local Settings\Temp\hsperfdata_Isabella Cady\3024 Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin Cady\Cookies\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\History\History.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Temp\hpodvd09.log Object is locked skipped
C:\Documents and Settings\Robin Cady\Local Settings\Temporary Internet Files\Content.IE5\INDEX.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\My Documents\ddccd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Robin Cady\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Robin Cady\ntuser.dat.LOG Object is locked skipped
C:\Program Files\MSN Gaming Zone\profsy.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001554.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\change.log Object is locked skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001007.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP4\A0001022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001244.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001254.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001255.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP5\A0001270.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe Infected: Trojan-Dropper.Win32.Agent.dgo skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\SYSTEM32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\AppEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SAM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SecEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SysEvent.Evt Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM Object is locked skipped
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.LOG Object is locked skipped
C:\WINDOWS\SYSTEM32\H323LOG.TXT Object is locked skipped
C:\WINDOWS\Temp\mcafee_LzxJ0EGlHIEaLt9 Object is locked skipped
C:\WINDOWS\Temp\mcafee_xc03L6pZflHaQO9 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_9jOQhSjsnk48OR6 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_Prz8fXXCnqeMxab Object is locked skipped
C:\WINDOWS\Temp\mcmsc_qrnvCUMIashfoA7 Object is locked skipped
C:\WINDOWS\Temp\mcmsc_xceEPLp7lys5wcc Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\change.log Object is locked skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0007 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0008/SaveNow.exe Infected: not-a-virus:AdWare.Win32.SaveNow.av skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0008/Uninst.exe Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0008 Infected: not-a-virus:AdWare.Win32.SaveNow.au skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0009/data0002 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0009 Infected: not-a-virus:AdWare.Win32.CommonName.g skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0011/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0014 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0015 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0021/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0021 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0022/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0025/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0025 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0026/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0029/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0030/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0030 Infected: Trojan.Win32.Krepper.y skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0032/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0032/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe/data0032 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001548.exe Inno: infected - 28 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0003/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0003/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0003 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0008/bdedetect1.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0008 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0011 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1007 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0012 Infected: not-a-virus:AdWare.Win32.Altnet.a skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0018/bdeinstall.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0018 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.1044 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0019/bde3d_ref2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0019 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.d skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0022/bdeload.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0022 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.e skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0023/bdeplayer2.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0023 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.f skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0026/BDESac10.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0026 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.3120 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0027/bdeviewer.exe Infected: Trojan.Win32.Krepper.y skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0027 Infected: Trojan.Win32.Krepper.y skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0029/BDEVerify.exe Infected: not-a-virus:AdWare.Win32.BrilliantDigital.a skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0029/BDEVerify.dll Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe/data0029 Infected: not-a-virus:AdWare.Win32.BrilliantDigital.b skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001549.exe Inno: infected - 22 skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001550.exe/data0004/cd_clint.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001550.exe/data0004/cd_htm.dll Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001550.exe/data0004 Infected: not-a-virus:AdWare.Win32.Cydoor skipped
E:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP12\A0001550.exe Inno: infected - 3 skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx/[From contactintelligentx <contactintelligentx@flowgo.com>][Date Tue, 2 Apr 2002 12:50:22 -0500 (EST)]/UNNAMED/play.exe Infected: Email-Worm.Win32.Klez.e skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx/[From contactintelligentx <contactintelligentx@flowgo.com>][Date Tue, 2 Apr 2002 12:50:22 -0500 (EST)]/UNNAMED Infected: Email-Worm.Win32.Klez.e skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped

Scan process completed.

gomer pyle
2008-02-06, 03:39
Hope were getting near the end.
So far so good.
Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:38:06 PM, on 2/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\McAfee\MBK\MBackMonitor.exe
C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
C:\Program Files\McAfee\MPF\MPFSrv.exe
C:\PROGRA~1\McAfee\MPS\mps.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
c:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\McAfee\MPS\mpsevh.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/
O2 - BHO: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - c:\PROGRA~1\mcafee\VIRUSS~1\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Comcast Toolbar - {4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - C:\PROGRA~1\COMCAS~1\COMCAS~1.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask .exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [MBkLogOnHook] C:\Program Files\McAfee\MBK\LogOnHook.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1
O4 - HKCU\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_9 -reboot 1 (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [Uniblue RegistryBooster 2] C:\Program Files\Uniblue\RegistryBooster 2\RegistryBooster.exe /S (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4219811858-3455423638-1855872279-1008\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" (User '?')
O4 - S-1-5-21-4219811858-3455423638-1855872279-1008 Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe (User '?')
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Robin Cady\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1200448995890
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - C:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBackMonitor - McAfee - C:\Program Files\McAfee\MBK\MBackMonitor.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - C:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - C:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Proxy Service (McProxy) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\mcproxy\mcproxy.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - c:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - C:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: McAfee Privacy Service (MPS9) - McAfee, Inc. - C:\PROGRA~1\McAfee\MPS\mps.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: VundoFix Service (VundoFixSvc) - Atribune.org - C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
O23 - Service: WMI Performance Adapter (WmiApSrv) - Unknown owner - C:\WINDOWS\System32\wbem\wmiapsrv.exe (file missing)

--
End of file - 9787 bytes

Shaba
2008-02-06, 12:08
Hi

Delete these mails:

E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx/[From contactintelligentx <contactintelligentx@flowgo.com>][Date Tue, 2 Apr 2002 12:50:22 -0500 (EST)]/UNNAMED/play.exe Infected: Email-Worm.Win32.Klez.e skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx/[From contactintelligentx <contactintelligentx@flowgo.com>][Date Tue, 2 Apr 2002 12:50:22 -0500 (EST)]/UNNAMED Infected: Email-Worm.Win32.Klez.e skipped
E:\Documents and Settings\ROBIN O CADY.bak\Local Settings\Application Data\Identities\{A0FBE00C-038E-4B90-9CD0-2BB136388EAC}\Microsoft\Outlook Express\Deleted Items.dbx Mail MS Outlook 5: infected - 2 skipped

Delete these:

C:\Documents and Settings\Isabella Cady\Desktop\PopularScreensaversSetup2.1.60.1.ZRfox000.exe
C:\Documents and Settings\Robin Cady\My Documents\ddccd.dll
C:\Program Files\MSN Gaming Zone\profsy.htm
C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe

Empty Recycle Bin.

Download msconfig from here (http://www.spywareinfo.com/~merijn/winfiles.php#msconfig.exe)
and move it to C:\WINDOWS\PCHealth\HelpCtr\Binaries folder

All other viruses are in system restore and inactive.

I give you later instructions how to empty it.

Other than that, any problems left?

gomer pyle
2008-02-06, 20:53
Hey Shaba,
Thanks for the help so far.

There are a few questions.

Why does my C: drive (main hard drive) still have a red x where the drive icon should be?

Can I delete the multitude of $NtUninstall files located in C:\windows?

I can't believe the level of detail you are going to to help me. I surely appreciate it.

Thanks

Shaba
2008-02-06, 20:57
Hi

"Can I delete the multitude of $NtUninstall files located in C:\windows?"

No, they are hotfix backups. Let them be.

As for red x:

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons]

It should look like this -> http://users.telenet.be/bluepatchy/miekiemoes/images/reg.gif

Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here (http://www.nellie2.co.uk/file.htm#How_to_Make_a_.Reg_File_) with screenshots.)

Reboot.

Is it now back to normal?

gomer pyle
2008-02-07, 20:21
Hey Shaba,
That worked well.

I am getting another virus warning from Avira.
It reads:
C:\System Volume Information\...\A0002834.exe

Should I do anything about this?

Thanks

Shaba
2008-02-07, 20:23
Hi

No, as it is in system restore.

I give you later instructions how to empty it.

Other than that, any problems left?

gomer pyle
2008-02-08, 06:31
No problems.
Everything is running smooth.

Should I remove the Avira program and just use Mcafee?

Can I delete the log files and .reg files that were saved to the desktop?

Thanks for your help and knowledge.
Gomer

Shaba
2008-02-08, 11:56
Hi

"Should I remove the Avira program and just use Mcafee?

Can I delete the log files and .reg files that were saved to the desktop?"

Yes :)

Any other issues?