View Full Version : Bar888, Command and Smitfraud
I downloaded something off the internet and then popups and some other stuff started appearing. I then downloaded spybot to see if that would help and it removes some of the problems, but they re-appear a few minutes later. I think the ones that I can't remove are putting the other problem files back onto the system.
Bar888 and smitfraud are the two which go temporarily but Command does not go. I tried to uninstall it on Add or Remove programs but was sent to a website which wanted me to download something else to remove it (like I'm going to that now...)
How can I get this off and how can I stop it happening again in the future?
I am going to be more careful with my downloads. I have already removed limewire which was randomly starting on its own and being annoying. (If anybody knows about that, extra help is appreciated)
Thanks in advance for any help. :bigthumb:
Giltrap
(I checked a few threads on this forum, but they had things on them that I don't understand so I thought I should ask myself)
Hi Giltrap and welcome to Safer Networking Forums :)
Please follow the following instructions -> "BEFORE you POST" -Preliminary Steps and scanning with SPYBOT-S&D (http://forums.spybot.info/showthread.php?t=288)
I followed your link, did the safe mode bit and I think it is fixed, I cannot find the 888bar thing and I am going to check to see if spybot finds the rest just now.
If I don't post anything else on this thread (or I do and say its fine) then it is okay.
Thanks, I've always been bad at reading the stickies.:sad:
Giltrap
Things are still showing up... :sad:
I have done an online virus scan and ran spybot in safemode. The safemode thing worked for a bit, but the all the stuff started reappearing.
I have a HijackThis log like the steps you sent me a link to said to get but dont know what to do with it. Should I post it here?
Giltrap
All that is left is the 888Bar thing.
It is showing up in Internet Explorer and Add or remove programs but not in spybot. I try to uninstall it, but it re-appears. How do I remove it?
Thanks, this should be it after this.
Giltrap
Hi :)
Please post a HijackThis log to here: Click here (http://downloads.malwareremoval.com/HijackThis.exe) to download HijackThis.exe
Save HijackThis.exe to your desktop.
Create a new folder named HijackThis to your desktop. Move Hijackthis.exe into that folder.
Run HijackThis.exe
Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
Click Save to save the log file and then the log will open in notepad.
Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
Come back here to this thread and Paste the log in your next reply.
DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
I did another to make sure it is the most recent one. I also moved it to the desktop as I had it somwhere else.
There is also a load of stuff showing up on AVG free when I do a scan, what should I do about all of that?
Here is the logfile:
Logfile of HijackThis v1.99.1
Scan saved at 14:34:32, on 19/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-06011006002c}\Update.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\?dobe\l?ass.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\svchosts.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgwb.dat
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
R3 - URLSearchHook: (no name) - {FBF221C6-E077-CDD2-7725-E65B212F32CA} - C:\WINDOWS\system32\ejrthiis.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34BDA~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {FBF221C6-E077-CDD2-7725-E65B212F32CA} - C:\WINDOWS\system32\ejrthiis.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34BDA~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [{B4BDA421-08A2-1033-0910-06011006002c}] "C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-06011006002c}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Xzqebrpy] C:\WINDOWS\system32\?dobe\l?ass.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000137 (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Giltrap
Hi, you got some infections there...
Go to virustotal.com (http://www.virustotal.com)
Copy the following to the box next to "Browse" button:
C:\WINDOWS\system32\svchosts.exe
Click on Send
Wait for the scan to end.
Copy & Paste the scan results to here. :bigthumb:
1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Here are half of the combofix results:
Ben - 06-12-19 20:40:37.26 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Ben\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\bszip.dll
C:\WINDOWS\system32\cmd.com
C:\WINDOWS\system32\netstat.com
C:\WINDOWS\system32\ping.com
C:\WINDOWS\system32\regedit.com
C:\WINDOWS\system32\taskkill.com
C:\WINDOWS\system32\tasklist.com
C:\WINDOWS\system32\tracert.com
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\outlook
C:\Program Files\Common Files\{34BDA421-08A2-1033-0910-06011006002c}
C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-06011006002c}
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1\?ecurity
C:\QooBox\Purity\WINDOWS\system32\DOBE~1
C:\QooBox\Purity\WINDOWS\system32\DOBE~1\l?ass.exe
((((((((((((((((((((((((((((((( Files Created from 2006-11-19 to 2006-12-19 ))))))))))))))))))))))))))))))))))
2006-12-19 20:41 <DIR> d-------- C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-060110060001}
2006-12-18 17:31 <DIR> dr-h----- C:\$VAULT$.AVG
2006-12-18 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
2006-12-18 17:01 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\AVG7
2006-12-18 17:00 816,672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-18 17:00 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2006-12-18 17:00 4,960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-12-18 17:00 4,224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-18 17:00 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2006-12-18 17:00 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-18 17:00 28,416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-18 17:00 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-18 17:00 <DIR> d-------- C:\Program Files\Grisoft
2006-12-18 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2006-12-18 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2006-12-18 15:44 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-12-18 15:42 <DIR> d-------- C:\Documents and Settings\Ben\.housecall6.6
2006-12-18 15:00 91,973 --a------ C:\Documents and Settings\Ben\install.exe
2006-12-18 14:15 <DIR> d--hs---- C:\WINDOWS\QmVuIEdpbGNocmlzdA
2006-12-18 14:01 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2006-12-18 14:01 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2006-12-18 13:00 56,320 --a------ C:\WINDOWS\system32\ejrthiis.dll
2006-12-18 13:00 2 --a------ C:\WINDOWS\system32\wcptr.exe
2006-12-18 12:42 91,973 --a------ C:\WINDOWS\system32\install.exe
2006-12-18 12:42 36,864 --a------ C:\WINDOWS\system32\svchosts.exe
2006-12-18 12:42 <DIR> d--hs---- C:\Documents and Settings\Ben\Complete
2006-12-17 17:05 <DIR> d-------- C:\Program Files\Jasc Software Inc
2006-12-17 17:05 <DIR> d-------- C:\Program Files\Common Files\SWF Studio
2006-12-17 17:05 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Jasc Software Inc
2006-12-14 17:49 <DIR> d-------- C:\Program Files\WinRAR
2006-12-13 19:47 <DIR> d-------- C:\Program Files\MeeSoft
2006-12-12 23:41 <DIR> d-------- C:\cc2bac848b655f133589d546f6
2006-12-11 13:16 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Matrox Graphics Inc
2006-12-11 13:15 <DIR> d-------- C:\Program Files\MSXML 4.0
2006-12-11 11:33 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2006-12-11 11:26 <DIR> d-------- C:\Program Files\Microsoft IntelliPoint
2006-12-11 11:25 <DIR> d-------- C:\Program Files\Microsoft IntelliType Pro
2006-12-11 11:22 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2006-12-11 11:22 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2006-12-11 11:22 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2006-12-11 11:22 14,848 --a------ C:\WINDOWS\system32\drivers\kbdhid.sys
2006-12-10 16:59 <DIR> d-------- C:\Program Files\Reality Pump
2006-12-10 14:50 <DIR> d-------- C:\Program Files\Adobe
2006-12-10 14:50 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Adobe
2006-12-10 14:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe
2006-12-10 14:47 <DIR> d-------- C:\Program Files\Common Files\Adobe
2006-12-10 14:39 <DIR> d-------- C:\Program Files\Autopano-SIFT-2.3
2006-12-10 14:37 <DIR> d-------- C:\WINDOWS\system32\URTTemp
2006-12-10 11:21 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-12-10 11:12 7,008 --a------ C:\WINDOWS\system\SETUPKIT.DLL
2006-12-10 11:12 45,584 --a------ C:\WINDOWS\system\GSWDLL.DLL
2006-12-10 11:12 398,416 --a------ C:\WINDOWS\system\VBRUN300.DLL
2006-12-10 11:12 398,400 --a------ C:\WINDOWS\system\VTSSDLL.DLL
2006-12-10 11:12 30,505 --a------ C:\WINDOWS\SSSETUP.EXE
2006-12-10 11:12 262,704 --a------ C:\WINDOWS\system\GSW.EXE
2006-12-09 15:46 <DIR> d-------- C:\Program Files\Screen Recorder
2006-12-07 23:06 <DIR> d-------- C:\Documents and Settings\Ben\Shared
2006-12-07 23:06 <DIR> d-------- C:\Documents and Settings\Ben\Incomplete
2006-12-07 21:50 <DIR> d-------- C:\Program Files\LimeWire
2006-12-07 21:49 <DIR> d-------- C:\Documents and Settings\Ben\.limewire
2006-12-05 22:02 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2006-12-05 17:49 <DIR> d-------- C:\Program Files\StumbleUpon
2006-12-05 17:49 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\StumbleUpon
2006-12-05 17:49 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Macromedia
2006-12-05 15:40 <DIR> d---s---- C:\Documents and Settings\Ben\UserData
2006-12-05 15:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google
2006-12-05 15:17 <DIR> d-------- C:\WINDOWS\Sun
2006-12-05 15:17 <DIR> d-------- C:\WINDOWS\.file_store_32
2006-12-05 15:17 <DIR> d-------- C:\Program Files\Google
2006-12-05 15:17 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Sun
2006-12-05 15:17 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Google
2006-12-05 15:16 <DIR> d-------- C:\Program Files\Java
2006-12-05 15:15 <DIR> d-------- C:\Program Files\Common Files\Java
2006-12-05 14:02 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2006-12-05 12:25 <DIR> d-------- C:\Documents and Settings\Ben\Contacts
2006-12-05 12:24 <DIR> d----c--- C:\WINDOWS\system32\DRVSTORE
2006-12-05 12:24 <DIR> d-------- C:\Program Files\MSN Messenger
2006-12-02 22:12 <DIR> d-------- C:\Program Files\GameSpy Arcade
2006-12-02 22:10 <DIR> d-------- C:\Program Files\Firefly Studios
2006-12-02 20:58 43,520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2006-12-02 20:53 <DIR> d-------- C:\Program Files\VUGames
2006-12-02 20:48 32,939,002 --a------ C:\back_up.reg
2006-12-02 20:48 1,056,768 -ra------ C:\WINDOWS\system32\RoboEx32.dll
2006-11-30 21:21 57,856 -ra------ C:\WINDOWS\system32\drivers\NVENETFD.sys
2006-11-30 21:21 442,368 --a------ C:\WINDOWS\system32\CapabilityTable.exe
2006-11-30 21:21 363,008 -ra------ C:\WINDOWS\system32\idecoiins.dll
2006-11-30 21:21 363,008 -ra------ C:\WINDOWS\system32\idecoi.dll
2006-11-30 21:21 35,840 -ra------ C:\WINDOWS\system32\nvconrm.dll
2006-11-30 21:21 35,840 -ra------ C:\WINDOWS\system32\NVCOI.DLL
2006-11-30 21:21 261,632 -ra------ C:\WINDOWS\system32\drivers\nvsnpu.sys
2006-11-30 21:21 208,896 --a------ C:\WINDOWS\system32\nvunrm.exe
2006-11-30 21:21 208,896 --------- C:\WINDOWS\system32\nvuide.exe
2006-11-30 21:21 201,728 -ra------ C:\WINDOWS\system32\fdco1ins.dll
2006-11-30 21:21 201,728 -ra------ C:\WINDOWS\system32\fdco1.dll
2006-11-30 21:21 20,480 -ra------ C:\WINDOWS\system32\drivers\nvnetbus.sys
2006-11-30 21:21 110,592 -ra------ C:\WINDOWS\system32\drivers\nvtcp.sys
2006-11-30 21:21 11,264 -ra------ C:\WINDOWS\system32\bdco1ins.dll
2006-11-30 21:21 11,264 -ra------ C:\WINDOWS\system32\bdco1.dll
2006-11-30 21:21 105,088 -ra------ C:\WINDOWS\system32\drivers\nvata.sys
2006-11-30 21:21 1,160,448 -ra------ C:\WINDOWS\system32\drivers\nvnrm.sys
2006-11-30 21:20 <DIR> d-------- C:\WINDOWS\system32\ReinstallBackups
2006-11-30 21:20 <DIR> d-------- C:\WINDOWS\NV30323588.TMP
2006-11-30 17:59 26,496 --a------ C:\WINDOWS\system32\drivers\USBSTOR.SYS
2006-11-30 17:59 <DIR> d--hs---- C:\RECYCLER
2006-11-30 01:27 315,904 --a------ C:\WINDOWS\IsUninst.exe
2006-11-30 01:25 <DIR> d-------- C:\WINDOWS\system32\Lang
2006-11-30 01:22 208,896 --a------ C:\WINDOWS\system32\nvudisp.exe
2006-11-30 01:22 <DIR> d-------- C:\WINDOWS\nview
2006-11-30 01:20 40,960 -r------- C:\WINDOWS\system32\ChCfg.exe
2006-11-30 01:20 208,896 --a------ C:\WINDOWS\system32\NVUNINST.EXE
2006-11-30 01:20 135,168 -r------- C:\WINDOWS\system32\RtlCPAPI.dll
2006-11-30 01:20 <DIR> d-------- C:\WINDOWS\system32\RTCOM
2006-11-30 01:19 9,709,568 -r------- C:\WINDOWS\RTLCPL.exe
2006-11-30 01:19 86,016 -r------- C:\WINDOWS\SoundMan.exe
2006-11-30 01:19 69,632 -r------- C:\WINDOWS\Alcmtr.exe
2006-11-30 01:19 5,824 --a------ C:\WINDOWS\system32\drivers\ASUSHWIO.SYS
2006-11-30 01:19 487,424 -r------- C:\WINDOWS\RtlExUpd.dll
2006-11-30 01:19 4,284,928 -r------- C:\WINDOWS\system32\drivers\RtkHDAud.Sys
2006-11-30 01:19 364,544 -r------- C:\WINDOWS\RtlUpd.exe
2006-11-30 01:19 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-11-30 01:19 2,879,488 -r------- C:\WINDOWS\SkyTel.exe
2006-11-30 01:19 2,808,832 -r------- C:\WINDOWS\alcwzrd.exe
2006-11-30 01:19 2,158,592 -r------- C:\WINDOWS\MicCal.exe
2006-11-30 01:19 16,208,384 -r------- C:\WINDOWS\RTHDCPL.exe
2006-11-30 01:19 <DIR> d--h----- C:\Program Files\InstallShield Installation Information
2006-11-30 01:19 <DIR> d-------- C:\Program Files\Realtek
2006-11-30 01:19 <DIR> d-------- C:\Program Files\Common Files\InstallShield
2006-11-30 01:18 <DIR> dr-h----- C:\Documents and Settings\Ben\SendTo
2006-11-30 01:18 <DIR> dr-h----- C:\Documents and Settings\Ben\Recent
2006-11-30 01:18 <DIR> dr-h----- C:\Documents and Settings\Ben\Application Data\.
2006-11-30 01:18 <DIR> dr-h----- C:\Documents and Settings\Ben\Application Data
2006-11-30 01:18 <DIR> dr------- C:\Documents and Settings\Ben\Start Menu
2006-11-30 01:18 <DIR> dr------- C:\Documents and Settings\Ben\My Documents
2006-11-30 01:18 <DIR> dr------- C:\Documents and Settings\Ben\Favorites
2006-11-30 01:18 <DIR> d--h----- C:\Program Files\Uninstall Information
2006-11-30 01:18 <DIR> d--h----- C:\Documents and Settings\Ben\Templates
2006-11-30 01:18 <DIR> d--h----- C:\Documents and Settings\Ben\PrintHood
2006-11-30 01:18 <DIR> d--h----- C:\Documents and Settings\Ben\NetHood
2006-11-30 01:18 <DIR> d--h----- C:\Documents and Settings\Ben\Local Settings
2006-11-30 01:18 <DIR> d---s---- C:\Documents and Settings\Ben\Cookies
2006-11-30 01:18 <DIR> d---s---- C:\Documents and Settings\Ben\Application Data\Microsoft
2006-11-30 01:18 <DIR> d-------- C:\Documents and Settings\Ben\Desktop
2006-11-30 01:18 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\Identities
2006-11-30 01:18 <DIR> d-------- C:\Documents and Settings\Ben\Application Data\..
2006-11-30 01:18 <DIR> d-------- C:\Documents and Settings\Ben\..
2006-11-30 01:18 <DIR> d-------- C:\Documents and Settings\Ben\.
2006-11-30 01:17 <DIR> d---s---- C:\WINDOWS\system32\Microsoft
2006-11-30 01:17 <DIR> d-------- C:\WINDOWS\SoftwareDistribution
2006-11-30 01:17 <DIR> d-------- C:\WINDOWS\Prefetch
2006-11-30 01:14 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2006-11-30 01:14 <DIR> d-------- C:\WINDOWS\system32\xircom
2006-11-30 01:14 <DIR> d-------- C:\Program Files\xerox
2006-11-30 01:14 <DIR> d-------- C:\Program Files\microsoft frontpage
2006-11-30 01:13 112,128 --a------ C:\WINDOWS\system32\mapi32.dll
2006-11-30 01:13 0 -rahs---- C:\MSDOS.SYS
2006-11-30 01:13 0 -rahs---- C:\IO.SYS
2006-11-30 01:13 0 --a------ C:\CONFIG.SYS
2006-11-30 01:13 0 --a------ C:\AUTOEXEC.BAT
2006-11-30 01:12 <DIR> dr------- C:\WINDOWS\Offline Web Pages
2006-11-30 01:12 <DIR> d--hs---- C:\Documents and Settings\All Users\DRM
2006-11-30 01:12 <DIR> d--h----- C:\Program Files\WindowsUpdate
2006-11-30 01:12 <DIR> d---s---- C:\WINDOWS\Downloaded Program Files
2006-11-30 01:12 <DIR> d-------- C:\WINDOWS\system32\DirectX
2006-11-30 01:11 81,920 --a------ C:\WINDOWS\system32\isign32.dll
2006-11-30 01:11 81,920 --a------ C:\WINDOWS\system32\ils.dll
2006-11-30 01:11 8,192 --a------ C:\WINDOWS\system32\bitsprx2.dll
2006-11-30 01:11 73,728 --a------ C:\WINDOWS\system32\icwdial.dll
2006-11-30 01:11 73,472 --a------ C:\WINDOWS\system32\drivers\sr.sys
2006-11-30 01:11 7,168 --a------ C:\WINDOWS\system32\bitsprx3.dll
2006-11-30 01:11 69,632 --a------ C:\WINDOWS\system32\msconf.dll
2006-11-30 01:11 679,424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-30 01:11 67,584 --a------ C:\WINDOWS\system32\srclient.dll
2006-11-30 01:11 65,536 --a------ C:\WINDOWS\system32\icwphbk.dll
2006-11-30 01:11 64,512 --a------ C:\WINDOWS\system32\acctres.dll
2006-11-30 01:11 6,656 --a------ C:\WINDOWS\system32\wuauserv.dll
2006-11-30 01:11 48,128 --a------ C:\WINDOWS\system32\inetres.dll
2006-11-30 01:11 465,176 --a------ C:\WINDOWS\system32\wuapi.dll
2006-11-30 01:11 45,568 --a------ C:\WINDOWS\system32\safrslv.dll
2006-11-30 01:11 43,520 --a------ C:\WINDOWS\system32\safrcdlg.dll
2006-11-30 01:11 43,520 --a------ C:\WINDOWS\system32\racpldlg.dll
2006-11-30 01:11 41,240 --a------ C:\WINDOWS\system32\wups.dll
2006-11-30 01:11 382,464 --a------ C:\WINDOWS\system32\qmgr.dll
2006-11-30 01:11 34,560 --a------ C:\WINDOWS\system32\mnmdd.dll
2006-11-30 01:11 32,768 --a------ C:\WINDOWS\system32\mnmsrvc.exe
2006-11-30 01:11 32,768 --a------ C:\WINDOWS\system32\isrdbg32.dll
Here is the other half:
2006-11-30 01:11 29,696 --a------ C:\WINDOWS\system32\safrdm.dll
2006-11-30 01:11 28,672 --a------ C:\WINDOWS\system32\nmmkcert.dll
2006-11-30 01:11 274,944 --a------ C:\WINDOWS\system32\mstask.dll
2006-11-30 01:11 274,432 --a------ C:\WINDOWS\system32\inetcfg.dll
2006-11-30 01:11 252,928 --a------ C:\WINDOWS\system32\msoeacct.dll
2006-11-30 01:11 239,104 --a------ C:\WINDOWS\system32\srrstr.dll
2006-11-30 01:11 23,040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-11-30 01:11 194,328 --a------ C:\WINDOWS\system32\wuaueng1.dll
2006-11-30 01:11 190,976 --a------ C:\WINDOWS\system32\schedsvc.dll
2006-11-30 01:11 18,944 --a------ C:\WINDOWS\system32\qmgrprxy.dll
2006-11-30 01:11 173,536 --a------ C:\WINDOWS\system32\wuweb.dll
2006-11-30 01:11 172,312 --a------ C:\WINDOWS\system32\wuauclt1.exe
2006-11-30 01:11 170,496 --a------ C:\WINDOWS\system32\srsvc.dll
2006-11-30 01:11 16,896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-11-30 01:11 16,384 --a------ C:\WINDOWS\system32\icfgnt5.dll
2006-11-30 01:11 128,896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-11-30 01:11 127,256 --a------ C:\WINDOWS\system32\wucltui.dll
2006-11-30 01:11 124,184 --a------ C:\WINDOWS\system32\wuauclt.exe
2006-11-30 01:11 12,288 --a------ C:\WINDOWS\system32\nmevtmsg.dll
2006-11-30 01:11 12,288 --a------ C:\WINDOWS\system32\mstinit.exe
2006-11-30 01:11 11,264 --a------ C:\WINDOWS\system32\atrace.dll
2006-11-30 01:11 105,984 --a------ C:\WINDOWS\system32\msoert2.dll
2006-11-30 01:11 1,343,768 --a------ C:\WINDOWS\system32\wuaueng.dll
2006-11-30 01:11 <DIR> d---s---- C:\WINDOWS\Tasks
2006-11-30 01:11 <DIR> d-------- C:\WINDOWS\system32\Restore
2006-11-30 01:11 <DIR> d-------- C:\WINDOWS\system32\Macromed
2006-11-30 01:11 <DIR> d-------- C:\WINDOWS\srchasst
2006-11-30 01:11 <DIR> d-------- C:\Program Files\Outlook Express
2006-11-30 01:11 <DIR> d-------- C:\Program Files\NetMeeting
2006-11-30 01:11 <DIR> d-------- C:\Program Files\Internet Explorer
2006-11-30 01:11 <DIR> d-------- C:\Program Files\Common Files\System
2006-11-30 01:11 <DIR> d-------- C:\Program Files\Common Files\Services
2006-11-30 01:11 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2006-11-30 01:10 <DIR> dr--s---- C:\WINDOWS\assembly
2006-11-30 01:09 <DIR> d-------- C:\WINDOWS\Registration
2006-11-30 01:09 <DIR> d-------- C:\WINDOWS\Microsoft.NET
2006-11-30 01:09 <DIR> d-------- C:\Program Files\Windows Media Player
2006-11-30 01:09 <DIR> d-------- C:\Program Files\Online Services
2006-11-30 01:09 <DIR> d-------- C:\Program Files\ComPlus Applications
2006-11-30 01:08 85,504 --a------ C:\WINDOWS\system32\mhn.dll
2006-11-30 01:08 8,704 --a------ C:\WINDOWS\system32\igdetect.dll
2006-11-30 01:08 7,093,760 --a------ C:\WINDOWS\system32\space.scr
2006-11-30 01:08 5,068,800 --a------ C:\WINDOWS\system32\davinci.scr
2006-11-30 01:08 4,396,544 --a------ C:\WINDOWS\system32\wpgldfsh.scr
2006-11-30 01:08 3,343,360 --a------ C:\WINDOWS\system32\nature.scr
2006-11-30 01:08 19,840 --a------ C:\WINDOWS\system32\drivers\pxhelp20.sys
2006-11-30 01:08 11,008 --a------ C:\WINDOWS\system32\drivers\mhndrv.sys
2006-11-30 01:08 1,742,336 --a------ C:\WINDOWS\system32\mypixdx.scr
2006-11-30 01:08 <DIR> d-------- C:\Program Files\Windows Plus
2006-11-30 01:08 <DIR> d-------- C:\Program Files\Movie Maker
2006-11-30 01:07 97,792 --a------ C:\WINDOWS\system32\comrepl.dll
2006-11-30 01:07 956,416 --a------ C:\WINDOWS\system32\msdtctm.dll
2006-11-30 01:07 93,696 --a------ C:\WINDOWS\system32\tscfgwmi.dll
2006-11-30 01:07 91,136 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-11-30 01:07 9,728 --a------ C:\WINDOWS\system32\reset.exe
2006-11-30 01:07 87,176 --a------ C:\WINDOWS\system32\rdpwsx.dll
2006-11-30 01:07 85,504 --a------ C:\WINDOWS\system32\catsrvps.dll
2006-11-30 01:07 80,384 --a------ C:\WINDOWS\system32\charmap.exe
2006-11-30 01:07 73,216 --a------ C:\WINDOWS\system32\avwav.dll
2006-11-30 01:07 67,072 --a------ C:\WINDOWS\system32\rdshost.exe
2006-11-30 01:07 655,360 --a------ C:\WINDOWS\system32\mstscax.dll
2006-11-30 01:07 625,152 --a------ C:\WINDOWS\system32\catsrvut.dll
2006-11-30 01:07 62,464 --a------ C:\WINDOWS\system32\rdpclip.exe
2006-11-30 01:07 605,696 --a------ C:\WINDOWS\system32\getuname.dll
2006-11-30 01:07 60,416 --a------ C:\WINDOWS\system32\remotepg.dll
2006-11-30 01:07 60,416 --a------ C:\WINDOWS\system32\colbact.dll
2006-11-30 01:07 6,144 --a------ C:\WINDOWS\system32\msdtc.exe
2006-11-30 01:07 58,880 --a------ C:\WINDOWS\system32\msdtclog.dll
2006-11-30 01:07 56,832 --a------ C:\WINDOWS\system32\sol.exe
2006-11-30 01:07 55,296 --a------ C:\WINDOWS\system32\freecell.exe
2006-11-30 01:07 540,160 --a------ C:\WINDOWS\system32\comuid.dll
2006-11-30 01:07 54,272 --a------ C:\WINDOWS\system32\stclient.dll
2006-11-30 01:07 538,624 --a------ C:\WINDOWS\system32\spider.exe
2006-11-30 01:07 5,632 --a------ C:\WINDOWS\system32\write.exe
2006-11-30 01:07 5,120 --a------ C:\WINDOWS\system32\dcomcnfg.exe
2006-11-30 01:07 498,688 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-11-30 01:07 44,544 --a------ C:\WINDOWS\system32\tscupgrd.exe
2006-11-30 01:07 44,544 --a------ C:\WINDOWS\system32\hticons.dll
2006-11-30 01:07 426,496 --a------ C:\WINDOWS\system32\msdtcprx.dll
2006-11-30 01:07 407,552 --a------ C:\WINDOWS\system32\mstsc.exe
2006-11-30 01:07 4,096 --a------ C:\WINDOWS\system32\rdpcfgex.dll
2006-11-30 01:07 4,096 --a------ C:\WINDOWS\system32\mtxex.dll
2006-11-30 01:07 38,912 --a------ C:\WINDOWS\system32\cfgbkend.dll
2006-11-30 01:07 35,328 --a------ C:\WINDOWS\system32\winchat.exe
2006-11-30 01:07 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll
2006-11-30 01:07 343,040 --a------ C:\WINDOWS\system32\mspaint.exe
2006-11-30 01:07 33,792 --a------ C:\WINDOWS\system32\regini.exe
2006-11-30 01:07 295,424 --a------ C:\WINDOWS\system32\termsrv.dll
2006-11-30 01:07 25,600 --a------ C:\WINDOWS\system32\comaddin.dll
2006-11-30 01:07 25,088 --a------ C:\WINDOWS\system32\mtxlegih.dll
2006-11-30 01:07 227,840 --a------ C:\WINDOWS\system32\avtapi.dll
2006-11-30 01:07 225,792 --a------ C:\WINDOWS\system32\catsrv.dll
2006-11-30 01:07 22,016 --a------ C:\WINDOWS\system32\qwinsta.exe
2006-11-30 01:07 21,896 --a------ C:\WINDOWS\system32\drivers\tdtcp.sys
2006-11-30 01:07 20,992 --a------ C:\WINDOWS\system32\msg.exe
2006-11-30 01:07 20,480 --a------ C:\WINDOWS\system32\qprocess.exe
2006-11-30 01:07 20,480 --a------ C:\WINDOWS\system32\mtxdm.dll
2006-11-30 01:07 19,968 --a------ C:\WINDOWS\system32\rdpsnd.dll
2006-11-30 01:07 183,808 --a------ C:\WINDOWS\system32\accwiz.exe
2006-11-30 01:07 161,280 --a------ C:\WINDOWS\system32\msdtcuiu.dll
2006-11-30 01:07 16,896 --a------ C:\WINDOWS\system32\tsshutdn.exe
2006-11-30 01:07 16,896 --a------ C:\WINDOWS\system32\qappsrv.exe
2006-11-30 01:07 16,384 --a------ C:\WINDOWS\system32\tskill.exe
2006-11-30 01:07 16,384 --a------ C:\WINDOWS\system32\avmeter.dll
2006-11-30 01:07 15,872 --a------ C:\WINDOWS\system32\rwinsta.exe
2006-11-30 01:07 15,872 --a------ C:\WINDOWS\system32\cdmodem.dll
2006-11-30 01:07 15,360 --a------ C:\WINDOWS\system32\logoff.exe
2006-11-30 01:07 147,968 --a------ C:\WINDOWS\system32\rdchost.dll
2006-11-30 01:07 147,456 --a------ C:\WINDOWS\system32\comsnap.dll
2006-11-30 01:07 140,800 --a------ C:\WINDOWS\system32\sessmgr.exe
2006-11-30 01:07 14,848 --a------ C:\WINDOWS\system32\tsdiscon.exe
2006-11-30 01:07 14,848 --a------ C:\WINDOWS\system32\tscon.exe
2006-11-30 01:07 14,848 --a------ C:\WINDOWS\system32\shadow.exe
2006-11-30 01:07 139,528 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
2006-11-30 01:07 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe
2006-11-30 01:07 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe
2006-11-30 01:07 13,824 --a------ C:\WINDOWS\system32\rdsaddin.exe
2006-11-30 01:07 126,976 --a------ C:\WINDOWS\system32\mshearts.exe
2006-11-30 01:07 123,392 --a------ C:\WINDOWS\system32\mplay32.exe
2006-11-30 01:07 12,040 --a------ C:\WINDOWS\system32\drivers\tdpipe.sys
2006-11-30 01:07 119,808 --a------ C:\WINDOWS\system32\winmine.exe
2006-11-30 01:07 114,688 --a------ C:\WINDOWS\system32\calc.exe
2006-11-30 01:07 110,080 --a------ C:\WINDOWS\system32\clbcatex.dll
2006-11-30 01:07 11,776 --a------ C:\WINDOWS\system32\xolehlp.dll
2006-11-30 01:07 11,264 --a------ C:\WINDOWS\system32\icaapi.dll
2006-11-30 01:07 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe
2006-11-30 01:07 1,267,200 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-11-30 01:07 1,161 --a------ C:\WINDOWS\system32\usrlogon.cmd
2006-11-30 01:07 <DIR> d-------- C:\WINDOWS\system32\MsDtc
2006-11-30 01:07 <DIR> d-------- C:\WINDOWS\system32\Com
2006-11-30 01:07 <DIR> d-------- C:\Program Files\Windows NT
2006-11-30 01:07 <DIR> d-------- C:\Program Files\MSN Gaming Zone
2006-11-30 01:07 <DIR> d-------- C:\Program Files\MSN
2006-11-30 01:07 <DIR> d-------- C:\Program Files\Messenger
2006-11-30 01:06 58,880 --a------ C:\WINDOWS\system32\licwmi.dll
2006-11-30 01:06 56,320 --a------ C:\WINDOWS\system32\servdeps.dll
2006-11-30 01:06 40,840 --a------ C:\WINDOWS\system32\drivers\termdd.sys
2006-11-30 01:06 196,864 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
2006-11-30 01:06 185,344 --a------ C:\WINDOWS\system32\cmprops.dll
2006-11-30 01:06 17,408 --a------ C:\WINDOWS\system32\mmfutil.dll
2006-11-30 01:03 82,944 --a------ C:\WINDOWS\system32\drivers\wdmaud.sys
2006-11-30 01:03 7,552 --a------ C:\WINDOWS\system32\drivers\MSKSSRV.sys
2006-11-30 01:03 60,800 --a------ C:\WINDOWS\system32\drivers\sysaudio.sys
2006-11-30 01:03 6,400 --a------ C:\WINDOWS\system32\drivers\splitter.sys
2006-11-30 01:03 57,472 --a------ C:\WINDOWS\system32\drivers\redbook.sys
2006-11-30 01:03 54,272 --a------ C:\WINDOWS\system32\drivers\swmidi.sys
2006-11-30 01:03 52,864 --a------ C:\WINDOWS\system32\drivers\DMusic.sys
2006-11-30 01:03 5,376 --a------ C:\WINDOWS\system32\drivers\MSPCLOCK.sys
2006-11-30 01:03 4,992 --a------ C:\WINDOWS\system32\drivers\MSPQM.sys
2006-11-30 01:03 3,072 --a------ C:\WINDOWS\system32\drivers\audstub.sys
2006-11-30 01:03 2,944 --a------ C:\WINDOWS\system32\drivers\drmkaud.sys
2006-11-30 01:03 172,416 --a------ C:\WINDOWS\system32\drivers\kmixer.sys
2006-11-30 01:03 142,464 --a------ C:\WINDOWS\system32\drivers\aec.sys
2006-11-30 01:02 87,424 --a------ C:\WINDOWS\system32\drivers\irda.sys
2006-11-30 01:02 8,192 --a------ C:\WINDOWS\system32\wshirda.dll
2006-11-30 01:02 74,240 --a------ C:\WINDOWS\system32\usbui.dll
2006-11-30 01:02 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2006-11-30 01:02 4,096 --a------ C:\WINDOWS\system32\ksuser.dll
2006-11-30 01:02 27,136 --a------ C:\WINDOWS\system32\irmon.dll
2006-11-30 01:02 2,944 --a------ C:\WINDOWS\system32\drivers\msmpu401.sys
2006-11-30 01:02 19,584 --a------ C:\WINDOWS\system32\drivers\rasirda.sys
2006-11-30 01:02 18,688 --a------ C:\WINDOWS\system32\drivers\irsir.sys
2006-11-30 01:02 152,576 --a------ C:\WINDOWS\system32\irftp.exe
2006-11-30 01:02 136,960 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2006-11-30 01:02 10,624 --a------ C:\WINDOWS\system32\drivers\gameenum.sys
2006-11-30 01:01 85,020 --a------ C:\WINDOWS\system32\dgsetup.dll
2006-11-30 01:01 8,192 -ra------ C:\WINDOWS\system32\kbdhept.dll
2006-11-30 01:01 7,168 -ra------ C:\WINDOWS\system32\kbdcz.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdycl.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdsl1.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdsl.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdpl.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdhu.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdhela3.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdcz2.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdcz1.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\kbdcr.dll
2006-11-30 01:01 6,656 -ra------ C:\WINDOWS\system32\KBDAL.DLL
2006-11-30 01:01 6,144 -ra------ C:\WINDOWS\system32\kbdtuq.dll
2006-11-30 01:01 6,144 -ra------ C:\WINDOWS\system32\kbdtuf.dll
2006-11-30 01:01 6,144 -ra------ C:\WINDOWS\system32\kbdlv1.dll
2006-11-30 01:01 6,144 -ra------ C:\WINDOWS\system32\kbdlv.dll
2006-11-30 01:01 6,144 -ra------ C:\WINDOWS\system32\kbdhela2.dll
2006-11-30 01:01 6,144 -ra------ C:\WINDOWS\system32\kbdgkl.dll
2006-11-30 01:01 6,144 -ra------ C:\WINDOWS\system32\kbdest.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdycc.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbduzb.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdur.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdtat.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdru1.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdru.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdro.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdpl1.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdmon.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdlt1.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdlt.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdkyr.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdkaz.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdhu1.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdhe319.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdhe220.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdhe.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdbu.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdblr.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdazel.dll
2006-11-30 01:01 5,632 -ra------ C:\WINDOWS\system32\kbdaze.dll
2006-11-30 01:01 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
2006-11-30 01:01 176,157 --a------ C:\WINDOWS\system32\dgrpsetu.dll
2006-11-30 01:01 13,312 --a------ C:\WINDOWS\system32\irclass.dll
2006-11-30 01:01 103,424 --a------ C:\WINDOWS\system32\EqnClass.Dll
2006-11-30 01:01 <DIR> dr------- C:\Program Files\Common Files\..
2006-11-30 01:01 <DIR> dr------- C:\Program Files\.
2006-11-30 01:01 <DIR> dr------- C:\Program Files
2006-11-30 01:01 <DIR> d--hs---- C:\WINDOWS\Installer
2006-11-30 01:01 <DIR> d--hs---- C:\Program Files\..
2006-11-30 01:01 <DIR> d-------- C:\Program Files\Common Files\SpeechEngines
2006-11-30 01:01 <DIR> d-------- C:\Program Files\Common Files\ODBC
2006-11-30 01:01 <DIR> d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-30 01:01 <DIR> d-------- C:\Program Files\Common Files\.
2006-11-30 01:01 <DIR> d-------- C:\Program Files\Common Files
2006-11-30 01:00 9,936 --a------ C:\WINDOWS\system\LZEXPAND.DLL
2006-11-30 01:00 9,008 --a------ C:\WINDOWS\system\VER.DLL
2006-11-30 01:00 82,944 --a------ C:\WINDOWS\system\OLECLI.DLL
2006-11-30 01:00 8,704 --a------ C:\WINDOWS\system32\batt.dll
2006-11-30 01:00 74,752 --a------ C:\WINDOWS\system32\storprop.dll
2006-11-30 01:00 69,584 --a------ C:\WINDOWS\system\AVICAP.DLL
2006-11-30 01:00 69,120 --a------ C:\WINDOWS\NOTEPAD.EXE
2006-11-30 01:00 68,768 --a------ C:\WINDOWS\system\MMSYSTEM.DLL
2006-11-30 01:00 5,120 --a------ C:\WINDOWS\system\SHELL.DLL
2006-11-30 01:00 32,816 --a------ C:\WINDOWS\system\COMMDLG.DLL
2006-11-30 01:00 24,064 --a------ C:\WINDOWS\system\OLESVR.DLL
2006-11-30 01:00 19,200 --a------ C:\WINDOWS\system\TAPI.DLL
2006-11-30 01:00 15,360 --a------ C:\WINDOWS\TASKMAN.EXE
2006-11-30 01:00 126,912 --a------ C:\WINDOWS\system\MSVIDEO.DLL
2006-11-30 01:00 11,264 --a------ C:\WINDOWS\system32\drivers\irenum.sys
2006-11-30 01:00 109,456 --a------ C:\WINDOWS\system\AVIFILE.DLL
2006-11-30 01:00 <DIR> dr------- C:\Documents and Settings\All Users\Start Menu
2006-11-30 01:00 <DIR> dr------- C:\Documents and Settings\All Users\Documents
2006-11-30 01:00 <DIR> d--h----- C:\Documents and Settings\All Users\Templates
2006-11-30 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Favorites
2006-11-30 01:00 <DIR> d-------- C:\Documents and Settings\All Users\Desktop
2006-11-30 00:58 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data\.
2006-11-30 00:58 <DIR> dr-h----- C:\Documents and Settings\All Users\Application Data
2006-11-30 00:58 <DIR> d--hs---- C:\System Volume Information
2006-11-30 00:58 <DIR> d---s---- C:\Documents and Settings\All Users\Application Data\Microsoft
2006-11-30 00:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2006-11-30 00:58 <DIR> d-------- C:\WINDOWS\system32\CatRoot
2006-11-30 00:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\..
2006-11-30 00:58 <DIR> d-------- C:\Documents and Settings\All Users\..
2006-11-30 00:58 <DIR> d-------- C:\Documents and Settings\All Users\.
2006-11-30 00:58 <DIR> d-------- C:\Documents and Settings
2006-11-30 00:52 <DIR> dr-hsc--- C:\WINDOWS\system32\dllcache
2006-11-30 00:52 <DIR> dr--s---- C:\WINDOWS\Fonts
2006-11-30 00:52 <DIR> dr------- C:\WINDOWS\Web
2006-11-30 00:52 <DIR> d--hs---- C:\WINDOWS\system32\drivers\..
2006-11-30 00:52 <DIR> d--hs---- C:\WINDOWS\system32\.
2006-11-30 00:52 <DIR> d--hs---- C:\WINDOWS\system32
2006-11-30 00:52 <DIR> d--hs---- C:\WINDOWS\..
2006-11-30 00:52 <DIR> d--h----- C:\WINDOWS\inf
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\WinSxS
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\twain_32
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Temp
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\wins
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\wbem
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\usmt
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\spool
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\ShellExt
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\Setup
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\ras
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\oobe
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\npp
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\mui
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\inetsrv
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\IME
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\icsxml
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\ias
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\export
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\drivers\etc
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\drivers\disdn
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\drivers\.
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\drivers
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\dhcp
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\config
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\3com_dmi
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\3076
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\2052
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1054
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1042
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1041
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1037
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1033
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1031
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1028
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\1025
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system32\..
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system\..
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system\.
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\system
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\security
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Resources
Sorry about the 3 replys, I couldnt get it to fit right... I've put virustotal on the end, to save an extra post
Heres the rest:
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\repair
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Provisioning
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\PeerNet
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\pchealth
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\mui
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\msapps
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\msagent
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Media
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\java
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\ime
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Help
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\ehome
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Driver Cache
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Debug
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Cursors
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Connection Wizard
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\Config
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\AppPatch
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\addins
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS\.
2006-11-30 00:52 <DIR> d-------- C:\WINDOWS
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.5008\\GoogleToolbarNotifier.exe"
"Xzqebrpy"="C:\\WINDOWS\\system32\\?dobe\\l?ass.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"RTHDCPL"="RTHDCPL.EXE"
"SkyTel"="SkyTel.EXE"
"Alcmtr"="ALCMTR.EXE"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NvMediaCenter"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"itype"="\"C:\\Program Files\\Microsoft IntelliType Pro\\itype.exe\""
"IntelliPoint"="\"C:\\Program Files\\Microsoft IntelliPoint\\ipoint.exe\""
"{B4BDA421-08A2-1033-0910-06011006002c}"="\"C:\\Program Files\\Common Files\\{B4BDA421-08A2-1033-0910-06011006002c}\\Update.exe\" mc-110-12-0000137"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"{B4BDA421-08A2-1033-0910-060110060001}"="\"C:\\Program Files\\Common Files\\{B4BDA421-08A2-1033-0910-060110060001}\\Update.exe\" mc-110-12-0000137"
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,ea,00,00,00,00,00,00,00,16,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
Completion time: 06-12-19 20:42:24.51
C:\ComboFix.txt ... 06-12-19 20:42
-----
Virustotal
-----
STATUS: FINISHEDComplete scanning result of "svchosts.exe", received in VirusTotal at 12.19.2006, 21:59:34 (CET).
Antivirus Version Update Result
AntiVir 7.3.0.19 12.19.2006 no virus found
Authentium 4.93.8 12.19.2006 no virus found
Avast 4.7.892.0 12.19.2006 no virus found
AVG 386 12.19.2006 no virus found
BitDefender 7.2 12.19.2006 no virus found
CAT-QuickHeal 8.00 12.19.2006 no virus found
ClamAV devel-20060426 12.19.2006 no virus found
DrWeb 4.33 12.19.2006 no virus found
eSafe 7.0.14.0 12.19.2006 no virus found
eTrust-InoculateIT 23.73.89 12.19.2006 no virus found
eTrust-Vet 30.3.3262 12.19.2006 no virus found
Ewido 4.0 12.19.2006 no virus found
Fortinet 2.82.0.0 12.19.2006 no virus found
F-Prot 3.16f 12.15.2006 no virus found
F-Prot4 4.2.1.29 12.19.2006 no virus found
Ikarus T3.1.0.27 12.19.2006 no virus found
Kaspersky 4.0.2.24 12.19.2006 no virus found
McAfee 4922 12.19.2006 no virus found
Microsoft 1.1904 12.19.2006 no virus found
NOD32v2 1929 12.19.2006 no virus found
Norman 5.80.02 12.19.2006 W32/Softomate.EH.dropper
Panda 9.0.0.4 12.19.2006 Adware/Mytoolbar
Prevx1 V2 12.19.2006 Trojan.SystemPoser
Sophos 4.12.0 12.18.2006 no virus found
Sunbelt 2.2.907.0 12.18.2006 no virus found
TheHacker 6.0.3.134 12.18.2006 no virus found
UNA 1.83 12.19.2006 no virus found
VBA32 3.11.1 12.19.2006 no virus found
VirusBuster 4.3.19:9 12.19.2006 no virus found
Aditional Information
File size: 36864 bytes
MD5: 3fe5755470a1c9c223ac25944c0161fd
SHA1: 36c92adc1ca2ee0211124187cb2678c008b85958
norman sandbox: [ General information ]
* **IMPORTANT: PLEASE SEND THE SCANNED FILE TO: ANALYSIS@NORMAN.NO - REMEMBER TO ENCRYPT IT (E.G. ZIP WITH PASSWORD)**.
* File length: 36864 bytes.
[ Changes to filesystem ]
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}.
* Creates directory C:WINDOWS{837F873E-0000-1044--popo0000}.
* Creates file C:WINDOWS{837F873E-0000-1044--popo0000}directorexe.lzma.
* Creates file C:WINDOWS{837F873E-0000-1044--popo0000}Update.exe.
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}directorexe.lzma.
* Deletes file C:WINDOWS{837F873E-0000-1044--popo0000}directordll.lzma.
[ Changes to registry ]
* Creates key "HKLMSoftwareHARDWAREDESCRIPTIONSystemCentralProcessor
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=6f6363243327
Hi again :)
Before we continue I would like you to upload the file for further inspection.
Please download the Suspicious file Packer (http://www.safer-networking.org/files/sfp.zip) from Safer-Networking.Org and unzip it to your desktop.
Run SFP.exe.
Please copy the following lines into the Step 1: Paste Text window:
C:\WINDOWS\system32\svchosts.exe
then click "Continue".
This will create a .cab file on your desktop named requested-files[Date/Time].cab
Please go to this forum (http://www.thespykiller.co.uk/forum/index.php?board=1.0)
There's no need to register. Just start a new topic, titled "svchosts.exe".
Use the Attachment box to upload the cab file from your desktop.
NOTE: You will not see the files that have been uploaded (including the ones you upload yourself) as they only show to the authorised users who can download them
Let me know when you have done this and then we'll continue :bigthumb:
Right, I have uploaded the file onto the forum. :bigthumb:
Giltrap
Hi again, we'll continue :)
Thanks for the upload :D:
You should print these instructions or save these to a text file. Follow these instructions carefully.
Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
Install AVG Anti-Spyware by double clicking the installer.
Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
==================
Backup your registry:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :
REGEDIT4
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Xzqebrpy"=-
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{B4BDA421-08A2-1033-0910-06011006002c}"=-
"{B4BDA421-08A2-1033-0910-060110060001}"=-
Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.
Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.
R3 - URLSearchHook: (no name) - {FBF221C6-E077-CDD2-7725-E65B212F32CA} - C:\WINDOWS\system32\ejrthiis.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34BDA~1\Bar888.dll (file missing)
O2 - BHO: (no name) - {FBF221C6-E077-CDD2-7725-E65B212F32CA} - C:\WINDOWS\system32\ejrthiis.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{34BDA~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [{B4BDA421-08A2-1033-0910-06011006002c}] "C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-06011006002c}\Update.exe" mc-110-12-0000137
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [Xzqebrpy] C:\WINDOWS\system32\?dobe\l?ass.exe
Disable bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to COM+ Messages
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.
Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; COM+ Messages
Answer Yes
Close HIjackThis
Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.
Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\ejrthiis.dll
C:\WINDOWS\system32\wcptr.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\svchosts.exe NOTE: svchosts.exe NOT svchost.exe !!
Go to the My Computer and delete the following folders (if present):
C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-060110060001}
C:\WINDOWS\QmVuIEdpbGNocmlzdA
C:\Program Files\ipwins
Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
================
When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
I cannot delete C:\WINDOWS\system32\wcptr.exe in safe mode. It is there, but says
"Cannot delete wcptr: It is being used by another person or program.
Close any programs that might be using the file and try again.
Ok"
Should I have gone onto the administrator account rather than my own? I haven't deleted anything yet as the first one in the list wasn't there.
Giltrap
Yes the admin account would be best. We can use a stronger program for those files...
Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.
Please run Killbox.
Select "Delete on Reboot".
Select "All Files".
Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\ejrthiis.dll
C:\WINDOWS\system32\wcptr.exe
C:\WINDOWS\system32\install.exe
C:\WINDOWS\system32\svchosts.exe
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.
If your computer does not restart automatically, please restart it manually.
Restart to the safe mode again and continue with the instructions. :bigthumb:
Right, I think its worked. Here is one report. The next will be in the next post.
---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------
+ Created at: 11:06:12 21/12/2006
+ Scan result:
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003208.exe -> Adware.ClickSpring : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003485.dll -> Adware.CommAd : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003486.exe -> Adware.CommAd : Cleaned with backup (quarantined).
C:\Documents and Settings\Ben\Desktop\Hijack this\backups\backup-20061220-213334-107.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003455.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-06011006002c}\Update.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{B4BDA421-08A2-1033-0910-06011006002c}\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003129.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003130.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003131.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003132.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003155.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003167.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP20\A0003181.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP20\A0003192.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003213.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003214.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003223.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003224.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003225.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003226.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003227.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003228.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003229.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003230.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003231.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003232.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003233.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003234.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003235.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003236.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003237.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003238.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003239.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003240.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003241.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003242.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003243.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003244.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003245.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003246.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003247.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003248.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003249.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003250.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003251.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003252.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003253.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003254.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003255.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003256.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003257.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003258.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003259.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003260.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003261.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003262.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003263.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003264.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003265.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003266.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003267.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003268.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003269.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003270.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003271.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003272.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003273.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003274.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003275.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003276.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003277.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003278.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003279.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003280.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003281.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003282.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003283.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003284.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003285.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003286.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003287.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003288.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003488.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003489.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP13\A0001962.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP13\A0001964.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003146.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003147.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP4\A0001381.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP4\A0001382.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP5\A0001385.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP5\A0001386.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP5\snapshot\MFEX-4.DAT -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP9\A0001945.dll -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP9\A0001946.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP9\A0001948.inf -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP20\A0003186.exe -> Backdoor.Rbot : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP20\A0003188.exe -> Downloader.PurityScan.dr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003207.exe -> Dropper.Small : Cleaned with backup (quarantined).
C:\!KillBox\wcptr.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003461.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003480.exe -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP21\A0003487.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP19\A0003124.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{7C499017-20B7-4B01-9A42-4ED1D81CA42D}\RP20\A0003187.exe -> Worm.VB.dw : Cleaned with backup (quarantined).
::Report end
Here is the other one.
---------
Hijackthis
---------
Logfile of HijackThis v1.99.1
Scan saved at 11:18:10, on 21/12/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Ben\Desktop\Hijack this\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.uk/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: StumbleUpon Launcher - {145B29F4-A56B-4b90-BBAC-45784EBEBBB7} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: StumbleUpon Toolbar - {5093EB4C-3E93-40AB-9266-B607BA87BDC8} - C:\Program Files\StumbleUpon\StumbleUponIEBar.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SkyTel] SkyTel.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: StumbleUpon: &Blog This - res://StumbleUponIEBar.dll/blogimage
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.stumbleupon.com
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - AVIRA GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
Hi again, it is looking clean now :)
The computer runs fine ?
You don't seem to a firewall (http://forum.malwareremoval.com/viewtopic.php?p=56#56) running, you must install one firewall.
NOTE: If you're using Windows XP firewall, I recommend that you install a better firewall. Windows firewall doesn't really provide enough protection. Disable Windows firewall after installing a new firewall.
These are good (free) firewalls: Sunbelt-Kerio (http://www.sunbelt-software.com/Kerio.cfm)
ZoneAlarm (http://www.zonelabs.com/)
Sygate (http://http://www.majorgeeks.com/download.php?det=3356)
Outpost (http://www.majorgeeks.com/download.php?det=1056)
Now you can clean AVG's Quarantine:
Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program
You can remove the tools we used.
You can delete the following backup folders:
C:\QooBox
C:\!Killbox
Then you should update your Java to the latest version (6.0) Start
Control Panel
Add/Remove Programs
Delete the old Java, J2SE Runtime Environment 5.0 Update 9
Download the latest version of Java Runtime Environment (JRE) 6.0 (http://java.sun.com/javase/downloads/index.jsp).
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it
Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
=============
Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.
Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.
Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.
Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.
Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.
Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?
Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.
Stay clean and be safe ;)
The bar888 is showing up in the add or remove programs, but not on internet explorer...
What should I do?
should I click Remove or just leave it?
Giltrap
Hi :)
That is a leftover, I don't think that it will go away if you click on remove.
Try it but I think it wont work.
There might be some other too so:
Please post an uninstall list to here. Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.
Click on the Save list... button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad here on your next reply.
:bigthumb:
Hi
I am away with family for christmas, so I cant do anything on my desktop pc for about a week. I will be able to continue when I get back home. :bigthumb:
Just thought I should let you know.
Thanks for all the help and have a good christmas!:present:
Giltrap
Ok I'll keep the topic open.
Merry Christmas to you too :D:
Right, I'm back.
I clicked on remove and it came up with an error message. I should have read it properly, but I think it said something along the lines of that there was nothing to remove and that it would be removed from add or remove programs.
Here is the list anyway:
Adobe Flash Player 9 ActiveX
Adobe Reader 8
Adobe Shockwave Player
Autopano-SIFT 2.3
AVG Anti-Spyware 7.5
Avira AntiVir PersonalEdition Classic
Bulent's Screen Recorder
Diagram Designer
Earth 2160
Evil Genius
GameSpy Arcade
Google Toolbar for Internet Explorer
High Definition Audio Driver Package - KB888111
HijackThis 1.99.1
Jasc Paint Shop Pro 8
Java(TM) SE Runtime Environment 6
Microsoft .NET Framework 1.0 Hotfix (KB887998)
Microsoft .NET Framework 1.1
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
NVIDIA Drivers
Outerinfo <- This is adware, I just Googled it as I didnt know what it was. I guess I just opened up a new can of worms. :sad:
Realtek High Definition Audio Driver
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Spybot - Search & Destroy 1.4
Stronghold
StumbleUpon IE Toolbar
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
Looks like we have something else to get rid of, I hope this will be a simple fix. :bigthumb:
Hi :)
That is a leftover...
Open HijackThis.
Open the Misc Tools section
Open Uninstall Manager
Scroll down to the following entry and select it with your mouse; Outerinfo
Delete this entry
Answer Yes
Close HIjackThis
How is the computer running ?
Sorry about the long response time...
I deleted outerinfo, and everything seems okay.
I think the computer is running fine, only problems are:
Evil Genius and the Stumbleupon toolbar keep throwing wobblies.
Seems a little slower.
I am going to get the patch for Evil Genius, as I think the same thing happened on my old pc and re-install stumbleupon. I don't know what else to do with stumbleupon, since it's quite good to use when you're bored.
I think the slowing down is just me getting used to the speed of it. It's a bit off topic really, but do you know any speed test (benchmarking?) software that I can use? Just to be sure it isn't really slowing down.
Erm... That's it I think. :bigthumb:
Giltrap
/|\
Why do I always sign the end of my messages? :scratch:
Ok good :)
Well AVG Anti-Spyware guard may slow the pc so disabling it may speed up a bit.
Also when was the last time you defragged your harddrives ?
Glad we could help, as the problem appears to be resolved this topic has been archived.
If you need it re-opened please send me or your helper a private message (pm) and provide a link to the thread; this applies only to the original topic starter.
Anyone else with similar problems please start a new topic.