Help! Recurring Fake.Wget and Bifrose.LA + Spybot detects Smitfraud-C in install exes

[zer0nix]

I'm getting recurring infections of Fake.Wget and Bifrose.LA and on a possibly related note, Spybot is detecting Smitfraud-C in pretty much every game patch i try to run; it is terminating the processes before the patches can be installed and so far, spybot is not detecting Smitfraud-C when i scan the computer. Please help!


PS:
-i ran the trend micro test four times and each time, after a little more than an hour, the browser window just closed itself without warning.
-i ran the etrust online antivirus detector and it found nothing. unfortunately, i found no option to save a log.
-the bit defender link provided in the "before you post" topic is dead. is it supposed to link to this?: http://www.bitdefender.com/scan8/ie.html
-i have provided below a HijackThis log, a Spybot log and a Nod32 log.
-i'm using XP with SP2

Logfile of HijackThis v1.99.1
Scan saved at 12:36:00 AM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Eset\nod32krn.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
C:\Program Files\Kerio\WinRoute Firewall\avServer.exe
C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dictionary.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: CoTGT_BHO Class - {C333CF63-767F-4831-94AC-E683D962C63C} - C:\Program Files\TGTSoft\StyleXP\TGT_BHO.dll
O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKLM\..\Run: [startkey] C:\WINDOWS\system32\server.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] C:\WINDOWS\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe"
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [startkey] C:\WINDOWS\system32\server.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
O4 - Startup: PowerReg Scheduler.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/v...fo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{411E73ED-9C60-42F1-992B-34D03F659D35}: NameServer = 216.165.239.2,216.165.239.4
O17 - HKLM\System\CS1\Services\Tcpip\..\{411E73ED-9C60-42F1-992B-34D03F659D35}: NameServer = 216.165.239.2,216.165.239.4
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: RadClock - Unknown owner - C:\Program Files\RadLinker\RadClock.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

[zer0nix]

spybot log part 1

--- Search result list ---
Bifrose.LA: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9B71D88C-C598-4935-C5D1-43AA4DB90836}

Fake.Wget: Settings (Registry key, fixed)
HKEY_USERS\S-1-5-21-329068152-220523388-839522115-1003\Software\Wget

Fake.Wget: Settings (Registry key, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Wget


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-28 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2006-02-06 advcheck.dll (1.0.2.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2006-02-20 Tools.dll (2.0.0.2)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-01-05 Includes\Cookies.sbi (*)
2006-12-08 Includes\Dialer.sbi (*)
2007-01-05 Includes\DialerC.sbi (*)
2006-11-24 Includes\Hijackers.sbi (*)
2007-01-05 Includes\HijackersC.sbi (*)
2006-10-27 Includes\Keyloggers.sbi (*)
2007-01-05 Includes\KeyloggersC.sbi (*)
2006-12-22 Includes\Malware.sbi (*)
2007-01-05 Includes\MalwareC.sbi (*)
2006-10-20 Includes\PUPS.sbi (*)
2007-01-05 Includes\PUPSC.sbi (*)
2007-01-05 Includes\Revision.sbi (*)
2006-12-08 Includes\Security.sbi (*)
2007-01-05 Includes\SecurityC.sbi (*)
2006-10-13 Includes\Spybots.sbi (*)
2007-01-05 Includes\SpybotsC.sbi (*)
2005-02-17 Includes\Tracks.uti
2006-12-08 Includes\Trojans.sbi (*)
2007-01-05 Includes\TrojansC.sbi (*)



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/917283
/ Microsoft .NET Framework 2.0: This Security Update is for Microsoft .NET Framework 2.0. \n
If you later install a more recent service pack, this Security Update will be uninstalled automatically. \n
For more information, visit http://support.microsoft.com/kb/922770
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896424)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901190)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911567)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB912919)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917422)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920214)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921398)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922616)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923694)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924191)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)


--- Startup entries list ---
Located: HK_LM:Run, ATICCC
command: "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
file: C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe
size: 90112
MD5: 0dc2e1b6951bd2170bc47f0eebf629b3

Located: HK_LM:Run, DAEMON Tools
command: "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
file: C:\Program Files\DAEMON Tools\daemon.exe
size: 157592
MD5: 4323a5ee3ebc7f5681cd41b69360d2d4

Located: HK_LM:Run, DiskeeperSystray
command: "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
file: C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe
size: 163840
MD5: cc2286749c3063e989519db234284fbe

Located: HK_LM:Run, KernelFaultCheck
command: C:\WINDOWS\system32\dumprep 0 -k
file: C:\WINDOWS\system32\dumprep.exe
size: 10752
MD5: 13922eb54890c77005268882629a31fe

Located: HK_LM:Run, NeroFilterCheck
command: "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
file: C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
size: 155648
MD5: c93ab037a8c792d5f8a1a9fc88a7c7c5

Located: HK_LM:Run, nod32kui
command: "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
file: C:\Program Files\Eset\nod32kui.exe
size: 950664
MD5: 1db8ebbea939fb03542574ad70f29dd6

Located: HK_LM:Run, NVMixerTray
command: "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
file: C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
size: 131072
MD5: 46ee79e42e5e056e91ea4eb07e7b807a

Located: HK_LM:Run, QuickTime Task
command: "C:\Program Files\QuickTime\qttask.exe" -atboottime
file: C:\Program Files\QuickTime\qttask.exe
size: 282624
MD5: caf03357de72f8f19fa099581a685c1a

Located: HK_LM:Run, startkey
command: C:\WINDOWS\system32\server.exe
file: C:\WINDOWS\system32\server.exe
size: 1362113
MD5: 8d00ac79d04db184f9c93bc8e6c6e8e3

Located: HK_LM:Run, SunJavaUpdateSched (DISABLED)
command: "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
file: C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
size: 49263
MD5: 409c45da1cfbc3fc19eec7cbfe9b2786

Located: HK_CU:Run, BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}
command: "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
file: C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3dbe5b70fca1f15be651a5eb02594b84

Located: HK_CU:Run, ctfmon.exe
command: C:\WINDOWS\system32\ctfmon.exe
file: C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996a38c0b0cf151c2140ae29fc8

Located: HK_CU:Run, SpybotSD TeaTimer
command: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
file: C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496eee0ddbe485f658693826f44d38

Located: HK_CU:Run, startkey
command: C:\WINDOWS\system32\server.exe
file: C:\WINDOWS\system32\server.exe
size: 1362113
MD5: 8d00ac79d04db184f9c93bc8e6c6e8e3

Located: HK_CU:Run, STYLEXP
command: C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
file:

Located: HK_CU:Run, swg
command: "C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe"
file: C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
size: 165304
MD5: d81021fff83b946d110aff16f0a26062

Located: HK_CU:Run, WrCtrl
command: "C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe"
file: C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
size: 188416
MD5: e26df5909bbc2ed15de7a5e65689bfdc

Located: HK_CU:Run, Window Washer (DISABLED)
command: "C:\Program Files\Webroot\Washer\wwDisp.exe"
file: C:\Program Files\Webroot\Washer\wwDisp.exe
size: 894464
MD5: 831134deaa2a470bdde9308f8bae4733

Located: Startup (common), Adobe Reader Speed Launch.lnk
command: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
file: C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
size: 29696
MD5: 43362b96870ce8649f4f2ec893da93f0

Located: Startup (user), SpywareGuard.lnk
command: C:\Program Files\SpywareGuard\sgmain.exe
file: C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61c028aba5e49573a6332f4a7c744e87

Located: System.ini, AtiExtEvent
command: Ati2evxx.dll
file: Ati2evxx.dll

Located: System.ini, crypt32chain
command: crypt32.dll
file: crypt32.dll

Located: System.ini, cryptnet
command: cryptnet.dll
file: cryptnet.dll

Located: System.ini, cscdll
command: cscdll.dll
file: cscdll.dll

Located: System.ini, ScCertProp
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, Schedule
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, sclgntfy
command: sclgntfy.dll
file: sclgntfy.dll

Located: System.ini, SensLogn
command: WlNotify.dll
file: WlNotify.dll

Located: System.ini, termsrv
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, wlballoon
command: wlnotify.dll
file: wlnotify.dll

Located: System.ini, WRNotifier
command: WRLogonNTF.dll
file: WRLogonNTF.dll

[zer0nix]

spybot log part 2

--- Browser helper object list ---
{02478D38-C3F9-4EFB-9B51-7695ECA05670} (Yahoo! Toolbar Helper)
BHO name:
CLSID name: Yahoo! Toolbar Helper
description: Yahoo Companion!
classification: Legitimate
known filename: Ycomp*_*_*_*.dll
info link: http://companion.yahoo.com/
info source: TonyKlein
Path: C:\Program Files\Yahoo!\Companion\Installs\cpn\
Long name: yt.dll
Short name:
Date (created): 11/30/2006 6:42:00 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 6/7/2006 10:09:22 AM
Filesize: 399352
Attributes: archive
MD5: 8BBB9FEEC360F11867B28059B5360843
CRC32: 12033757
Version: 2005.11.4.1

{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
BHO name:
CLSID name: Adobe PDF Reader Link Helper
description: Adobe Acrobat reader
classification: Legitimate
known filename: AcroIEhelper.ocx<br>AcroIEhelper.dll
info link: http://www.adobe.com/products/acrobat/readstep2.html
info source: TonyKlein
Path: C:\Program Files\Adobe\Acrobat 7.0\ActiveX\
Long name: AcroIEHelper.dll
Short name: ACROIE~1.DLL
Date (created): 1/12/2006 8:38:22 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 1/12/2006 8:38:22 PM
Filesize: 63128
Attributes: archive
MD5: F17B2B264072B921FC66A0BE16626BAB
CRC32: 5184CFEA
Version: 7.0.7.142

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7} (IeCatch5 Class)
BHO name:
CLSID name: IeCatch5 Class
Path: C:\PROGRA~1\FlashGet\
Long name: Jccatch.dll
Short name:
Date (created): 11/28/2006 8:56:02 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 5/16/2006 3:19:42 PM
Filesize: 81920
Attributes: archive
MD5: 8AB453E6168A5FEDFDDF44BC13F42E70
CRC32: 47363548
Version: 1.1.5.0

{4A368E80-174F-4872-96B5-0B27DDD11DB2} (SpywareGuard Download Protection)
BHO name: SpywareGuard Download Protection
CLSID name: SpywareGuardDLBLOCK.CBrowserHelper
description: SpywareGuard download protection
classification: Legitimate
known filename: dlprotect.dll
info link: http://www.wilderssecurity.net/spywareguard.html
info source: TonyKlein
Path: C:\Program Files\SpywareGuard\
Long name: dlprotect.dll
Short name: DLPROT~1.DLL
Date (created): 8/2/2003 11:24:02 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 8/2/2003 11:24:02 PM
Filesize: 192512
Attributes: readonly archive
MD5: 964621E8B2415FEAA99026ED4F29D198
CRC32: DC8CF59D
Version: 2.2.0.0

{53707962-6F74-2D53-2644-206D7942484F} ()
BHO name:
CLSID name:
description: Spybot-S&D IE Browser plugin
classification: Legitimate
known filename: SDhelper.dll
info link: http://spybot.eon.net.au/
info source: Patrick M. Kolla
Path: C:\PROGRA~1\SPYBOT~1\
Long name: SDHelper.dll
Short name:
Date (created): 11/28/2006 8:35:02 PM
Date (last access): 1/9/2007 11:44:40 PM
Date (last write): 5/31/2005 1:04:00 AM
Filesize: 853672
Attributes: archive
MD5: 250D787A5712D7768DDC133B3E477759
CRC32: D4589A41
Version: 1.4.0.0

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
BHO name:
CLSID name: SSVHelper Class
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: ssv.dll
Short name:
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/9/2007 11:44:42 PM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 434279
Attributes: archive
MD5: D62E335F137D9E0F9F4DBE09564959B1
CRC32: 72699310
Version: 5.0.90.3

{AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
BHO name:
CLSID name: Google Toolbar Helper
description: Google toolbar
classification: Open for discussion
known filename: googletoolbar.dll<br>googletoolbar*.dll<br>(* = number)<br>googletoolbar_en_*.**-big.dll<br>Googletoolbar_en_*.*.**-deleon.dll
info link: http://toolbar.google.com/
info source: TonyKlein
Path: c:\program files\google\
Long name: GoogleToolbar1.dll
Short name: GOOGLE~1.DLL
Date (created): 11/28/2006 8:56:22 PM
Date (last access): 1/9/2007 11:44:42 PM
Date (last write): 11/28/2006 8:56:22 PM
Filesize: 2018368
Attributes: readonly archive
MD5: C022FABC464CEA9DF382C000351223E2
CRC32: B1A33DE4
Version: 4.0.1019.5266

{C333CF63-767F-4831-94AC-E683D962C63C} (CoTGT_BHO Class)
BHO name:
CLSID name: CoTGT_BHO Class
Path: C:\Program Files\TGTSoft\StyleXP\
Long name: TGT_BHO.dll
Short name:
Date (created): 5/9/2006 3:13:48 PM
Date (last access): 1/9/2007 11:44:42 PM
Date (last write): 5/9/2006 3:13:48 PM
Filesize: 65536
Attributes: archive
MD5: 107CC933CCB8FC9AD8F2160657B9D6D6
CRC32: FA073C35

{F156768E-81EF-470C-9057-481BA8380DBA} (gFlash Class)
BHO name:
CLSID name: gFlash Class
Path: C:\PROGRA~1\FlashGet\
Long name: getflash.dll
Short name:
Date (created): 11/28/2006 8:56:02 PM
Date (last access): 1/9/2007 11:44:44 PM
Date (last write): 9/12/2006 10:50:56 AM
Filesize: 126976
Attributes: archive
MD5: C281625E4775F8AD88448C50AFEB4561
CRC32: EC424799
Version: 1.0.0.1



--- ActiveX list ---
{166B1BCA-3F9C-11CF-8075-444553540000} (Shockwave ActiveX Control)
DPF name:
CLSID name: Shockwave ActiveX Control
Installer: C:\WINDOWS\Downloaded Program Files\erma.inf
Codebase: http://fpdownload.macromedia.com/get...irector/sw.cab
description: Macromedia ShockWave Flash Player 7
classification: Legitimate
known filename: SWDIR.DLL
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\macromed\Director\
Long name: SwDir.dll
Short name:
Date (created): 12/9/2006 2:43:18 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 9/3/2006 11:10:30 PM
Filesize: 54960
Attributes: archive
MD5: EB271B21EA6104B7C6946EF32D558C91
CRC32: CEC4E0C2
Version: 10.1.4.20

{7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class)
DPF name:
CLSID name: WScanCtl Class
Installer: C:\WINDOWS\Downloaded Program Files\webscan.inf
Codebase: http://www3.ca.com/securityadvisor/v...fo/webscan.cab
description:
classification: Legitimate
known filename: webscan.dll
info link:
info source: Safer Networking Ltd.
Path: C:\WINDOWS\Downloaded Program Files\
Long name: webscan.dll
Short name:
Date (created): 11/20/2006 12:02:34 PM
Date (last access): 1/9/2007 11:46:36 PM
Date (last write): 11/20/2006 12:02:34 PM
Filesize: 180282
Attributes: archive
MD5: 76EA3ABECE61FBA3C07F61E42BB0CA48
CRC32: AECD0E4D
Version: 1.1.0.1049

{8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
description: Sun Java
classification: Legitimate
known filename: %PROGRAM FILES%\JabaSoft\JRE\*\Bin\npjava131.dll
info link:
info source: Patrick M. Kolla
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3
{CAFEEFAC-0015-0000-0009-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
description:
classification: Legitimate
known filename: NPJPI150_09.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3

{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} (Java Runtime Environment 1.5.0)
DPF name: Java Runtime Environment 1.5.0
CLSID name: Java Plug-in 1.5.0_09
Installer:
Codebase: http://java.sun.com/update/1.5.0/jin...ndows-i586.cab
description:
classification: Legitimate
known filename: npjpi150_06.dll
info link:
info source: Safer Networking Ltd.
Path: C:\Program Files\Java\jre1.5.0_09\bin\
Long name: NPJPI150_09.dll
Short name: NPJPI1~1.DLL
Date (created): 10/12/2006 3:10:58 AM
Date (last access): 1/10/2007 12:22:50 AM
Date (last write): 10/12/2006 3:25:44 AM
Filesize: 69746
Attributes: archive
MD5: A3CDEB59B6B8C2EA81B9ED2D3EF4C95E
CRC32: 2A32A9A2
Version: 5.0.90.3

{D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object)
DPF name:
CLSID name: Shockwave Flash Object
Installer: C:\WINDOWS\Downloaded Program Files\swflash.inf
Codebase: http://fpdownload2.macromedia.com/ge...sh/swflash.cab
description: Macromedia Shockwave Flash Player
classification: Legitimate
known filename:
info link:
info source: Patrick M. Kolla
Path: C:\WINDOWS\system32\Macromed\Flash\
Long name: Flash9b.ocx
Short name:
Date (created): 11/9/2006 2:46:28 PM
Date (last access): 1/10/2007 12:14:36 AM
Date (last write): 11/9/2006 2:46:28 PM
Filesize: 2262648
Attributes: readonly archive
MD5: F3B3EE66CA76C94510555ABE9D00A353
CRC32: A51F3CB4
Version: 9.0.28.0


--- Process list ---
PID: 0 ( 0) [System]
PID: 580 ( 4) \SystemRoot\System32\smss.exe
PID: 668 ( 580) \??\C:\WINDOWS\system32\csrss.exe
PID: 756 ( 580) \??\C:\WINDOWS\system32\winlogon.exe
PID: 808 ( 756) C:\WINDOWS\system32\services.exe
size: 108032
MD5: C6CE6EEC82F187615D1002BB3BB50ED4
PID: 820 ( 756) C:\WINDOWS\system32\lsass.exe
size: 13312
MD5: 84885F9B82F4D55C6146EBF6065D75D2
PID: 996 ( 808) C:\WINDOWS\system32\Ati2evxx.exe
size: 430080
MD5: F57801F641E6DF9F4FD4B29D6DEB422C
PID: 1036 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1104 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1252 ( 808) C:\WINDOWS\System32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1348 ( 756) C:\WINDOWS\system32\Ati2evxx.exe
size: 430080
MD5: F57801F641E6DF9F4FD4B29D6DEB422C
PID: 1424 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1500 ( 808) C:\WINDOWS\system32\svchost.exe
size: 14336
MD5: 8F078AE4ED187AAABC0A305146DE6716
PID: 1672 ( 808) C:\WINDOWS\system32\spoolsv.exe
size: 57856
MD5: DA81EC57ACD4CDC3D4C51CF3D409AF9F
PID: 1884 (1828) C:\WINDOWS\Explorer.EXE
size: 1032192
MD5: A0732187050030AE399B241436565E64
PID: 252 ( 232) C:\Program Files\Internet Explorer\IEXPLORE.EXE
size: 622080
MD5: 5334D4461AA92A7B008755FE6D13C5F2
PID: 680 (1884) C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
size: 131072
MD5: 46EE79E42E5E056E91EA4EB07E7B807A
PID: 712 (1884) C:\Program Files\Eset\nod32kui.exe
size: 950664
MD5: 1DB8EBBEA939FB03542574AD70F29DD6
PID: 988 (1884) C:\Program Files\DAEMON Tools\daemon.exe
size: 157592
MD5: 4323A5EE3EBC7F5681CD41B69360D2D4
PID: 1164 (1884) C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
size: 139264
MD5: 3DBE5B70FCA1F15BE651A5EB02594B84
PID: 1180 (1076) C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
size: 45056
MD5: 64C4C17BF6A40FF1CD21205E6FD415B8
PID: 1208 (1884) C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
size: 1415824
MD5: 70496EEE0DDBE485F658693826F44D38
PID: 1228 (1884) C:\WINDOWS\system32\ctfmon.exe
size: 15360
MD5: 24232996A38C0B0CF151C2140AE29FC8
PID: 1364 (1036) C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
size: 884736
MD5: 1E55333843B8398B2EB60EA8C39569FA
PID: 1324 (1884) C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5746\GoogleToolbarNotifier.exe
size: 165304
MD5: D81021FFF83B946D110AFF16F0A26062
PID: 1720 (1884) C:\Program Files\Kerio\WinRoute Firewall\WrCtrl.exe
size: 188416
MD5: E26DF5909BBC2ED15DE7A5E65689BFDC
PID: 272 (1884) C:\Program Files\SpywareGuard\sgmain.exe
size: 360448
MD5: 61C028ABA5E49573A6332F4A7C744E87
PID: 648 ( 272) C:\Program Files\SpywareGuard\sgbhp.exe
size: 233472
MD5: A80D0704537C0EF97DB2BEF24B99AF1A
PID: 692 ( 808) C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
size: 892928
MD5: 26E09498268C88BD6A7C791EBC71DBE5
PID: 932 ( 808) C:\Program Files\Eset\nod32krn.exe
size: 549256
MD5: C0C81A2BE22F496B26B3E1EF3F559B83
PID: 2416 ( 808) C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
size: 3297792
MD5: 5D587C0FDE956DF030F79166DA595F2C
PID: 2868 ( 808) C:\WINDOWS\system32\wwSecure.exe
size: 487936
MD5: E189A58938E5E1EA269D73AAD84C9311
PID: 1980 ( 808) C:\Program Files\Kerio\WinRoute Firewall\winroute.exe
size: 3796992
MD5: FDE4CD78238F55CB028CA8D9F81BE116
PID: 3632 (1980) C:\Program Files\Kerio\WinRoute Firewall\avServer.exe
size: 98304
MD5: E3B31D987612F341EDA28F1D940965BC
PID: 3544 ( 712) C:\Program Files\Eset\nod32.exe
size: 496000
MD5: FFFFADC7124F9FCA9AF86B8710F038E8
PID: 500 (1884) C:\Program Files\Windows NT\Accessories\WORDPAD.EXE
size: 214528
MD5: F0543ACEEB5CD8821469958C9F3DD9A4
PID: 2560 (1884) C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
size: 4393096
MD5: 09CA174A605B480318731E691DC98539
PID: 3288 (1884) C:\Program Files\Internet Explorer\iexplore.exe
size: 622080
MD5: 5334D4461AA92A7B008755FE6D13C5F2
PID: 4 ( 0) System

[zer0nix]

spybot log part 3

--- Browser start & search pages list ---
Spybot - Search & Destroy browser pages report, 1/10/2007 12:25:36 AM

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Local Page
C:\WINDOWS\system32\blank.htm
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Search Page
http://www.microsoft.com/isapi/redir...ie&ar=iesearch
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Start Page
http://www.dictionary.com
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Local Page
%SystemRoot%\system32\blank.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Search Page
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Start Page
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Page_URL
http://go.microsoft.com/fwlink/?LinkId=69157
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Main\Default_Search_URL
http://go.microsoft.com/fwlink/?LinkId=54896
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\SearchAssistant
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm
HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\Search\CustomizeSearch
http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm


--- Winsock Layered Service Provider list ---
Protocol 0: NOD32 protected [MSAFD Tcpip [TCP/IP]]
GUID: {B48ACC25-CAB4-4DE9-837F-8C120A873F90}
Filename: C:\WINDOWS\system32\imon.dll

Protocol 1: NOD32 protected [MSAFD Tcpip [UDP/IP]]
GUID: {8E1EEC56-55EE-43D7-A8F6-53AB316ADF36}
Filename: C:\WINDOWS\system32\imon.dll

Protocol 2: NOD32 protected [MSAFD Tcpip [RAW/IP]]
GUID: {250C32B6-032A-48BD-A13A-38A15A1CB53E}
Filename: C:\WINDOWS\system32\imon.dll

Protocol 3: NOD32 protected [RSVP UDP Service Provider]
GUID: {EA0A9921-BA4C-4518-AE40-78E75B059F6C}
Filename: C:\WINDOWS\system32\imon.dll

Protocol 4: NOD32 protected [RSVP TCP Service Provider]
GUID: {35F57BA0-370A-4982-9299-7D08343254F4}
Filename: C:\WINDOWS\system32\imon.dll

Protocol 5: MSAFD Tcpip [TCP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 6: MSAFD Tcpip [UDP/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 7: MSAFD Tcpip [RAW/IP]
GUID: {E70F1AA0-AB8B-11CF-8CA3-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP IP protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD Tcpip[*]

Protocol 8: RSVP UDP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 9: RSVP TCP Service Provider
GUID: {9D60A9E0-337A-11D0-BD88-0000C082E69A}
Filename: %SystemRoot%\system32\rsvpsp.dll
Description: Microsoft Windows NT/2k/XP RVSP
DB filename: %SystemRoot%\system32\rsvpsp.dll
DB protocol: RSVP * Service Provider

Protocol 10: NOD32
GUID: {28A4D8DA-E908-4C6F-A926-A66CC7AD3224}
Filename: C:\WINDOWS\system32\imon.dll

Protocol 11: MSAFD NetBIOS [\Device\NetBT_Tcpip_{411E73ED-9C60-42F1-992B-34D03F659D35}] SEQPACKET 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 12: MSAFD NetBIOS [\Device\NetBT_Tcpip_{411E73ED-9C60-42F1-992B-34D03F659D35}] DATAGRAM 0
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 13: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0C0EB0D-E98C-40D1-B79F-C4470749A84C}] SEQPACKET 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 14: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A0C0EB0D-E98C-40D1-B79F-C4470749A84C}] DATAGRAM 1
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 15: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A265649F-21B5-43ED-8BC1-8309317AB8BD}] SEQPACKET 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 16: MSAFD NetBIOS [\Device\NetBT_Tcpip_{A265649F-21B5-43ED-8BC1-8309317AB8BD}] DATAGRAM 2
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 17: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1F707684-D174-4A91-8AC4-35583D1CE198}] SEQPACKET 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Protocol 18: MSAFD NetBIOS [\Device\NetBT_Tcpip_{1F707684-D174-4A91-8AC4-35583D1CE198}] DATAGRAM 3
GUID: {8D5F1830-C273-11CF-95C8-00805F48A192}
Filename: %SystemRoot%\system32\mswsock.dll
Description: Microsoft Windows NT/2k/XP NetBios protocol
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: MSAFD NetBIOS *

Namespace Provider 0: Tcpip
GUID: {22059D40-7E9E-11CF-AE5A-00AA00A7112B}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP TCP/IP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: TCP/IP

Namespace Provider 1: NTDS
GUID: {3B2637EE-E580-11CF-A555-00C04FD8D4AC}
Filename: %SystemRoot%\System32\winrnr.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\winrnr.dll
DB protocol: NTDS

Namespace Provider 2: Network Location Awareness (NLA) Namespace
GUID: {6642243A-3BA8-4AA6-BAA5-2E0BD71FDD83}
Filename: %SystemRoot%\System32\mswsock.dll
Description: Microsoft Windows NT/2k/XP name space provider
DB filename: %SystemRoot%\system32\mswsock.dll
DB protocol: NLA-Namespace

[zer0nix]

Nod32 scan log part 1

Scan performed at: 1/10/2007 8:42:27 AM
Scanning Log
NOD32 version 1959 (20070105) NT
Operating memory - is OK

Date: 10.1.2007 Time: 08:42:52
Anti-Stealth technology is enabled.
Scanned disks, folders and files: C:; E:
C:\hiberfil.sys - error opening (File locked) [4]
C:\pagefile.sys - error opening (File locked) [4]
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA1.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA1.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA2.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\BifroseLA2.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget1.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget1.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget2.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget2.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget3.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget3.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget4.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\FakeWget4.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.reg - error - password-protected file
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\MicrosoftWindowsSecurityCenterFirewallDisableNotify.zip »ZIP »sbRecovery.ini - error - password-protected file
C:\Documents and Settings\LocalService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\LocalService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\NTUSER.DAT - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\ntuser.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG - error opening (File locked) [4]
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »Ad-Aware SE Default.skn - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »arrow1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »arrow2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bck1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt11.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt12.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt13.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt21.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt22.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt23.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt31.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt32.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt33.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt41.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt42.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt43.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt51.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt52.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt53.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt61.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »bt62.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox3.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »checkbox4.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »defbtn3.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph1.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph2.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph3.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph4.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph5.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph6.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »glyph7.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »main.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »preview.bmp - error - password-protected file
C:\Documents and Settings\whencan westartnow\My Documents\My Pictures\apps\adaware se personal.exe »WISE »Ad-Aware SE default.ask »ZIP »sprite1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »Ad-Aware SE Default.skn - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »arrow1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »arrow2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bck1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt11.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt12.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt13.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt21.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt22.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt23.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt31.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt32.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt33.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt41.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt42.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt43.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt51.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt52.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt53.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt61.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »bt62.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »checkbox4.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »defbtn3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph1.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph2.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph3.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph4.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph5.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph6.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »glyph7.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »main.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »preview.bmp - error - password-protected file
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask »ZIP »sprite1.bmp - error - password-protected file
C:\Program Files\Nero\Nero 7\Nero BackItUp\BackItUp_ImageTool\root.img »GZ - archive damaged
C:\Program Files\Webroot\Spy Sweeper\Masters.base - error opening (Access denied) [4]
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.bak - error opening (Access denied) [4]
C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const - error opening (Access denied) [4]
C:\Program Files\Webroot\Spy Sweeper\Masters\masters.mst - error opening (Access denied) [4]
C:\System Volume Information\MountPointManagerRemoteDatabase - error opening (Access denied) [4]
C:\WINDOWS\system32\config\default - error opening (File locked) [4]
C:\WINDOWS\system32\config\default.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM - error opening (File locked) [4]
C:\WINDOWS\system32\config\SAM.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY - error opening (File locked) [4]
C:\WINDOWS\system32\config\SECURITY.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\software - error opening (File locked) [4]
C:\WINDOWS\system32\config\software.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\config\system - error opening (File locked) [4]
C:\WINDOWS\system32\config\system.LOG - error opening (File locked) [4]
C:\WINDOWS\system32\drivers\sptd.sys - error opening (File locked) [4]
E:\RECYCLED\De4.zip »ZIP »package.dll »RAR »kill.exe - Win32/Parite.B virus
E:\RECYCLED\De4.zip »ZIP »package.dll »RAR »winlogon.exe - a variant of Win32/Iroffer trojan
Number of scanned files: 491745
Number of threats found: 2
Number of active threats: 1
Time of completion: 14:02:16 Total scanning time: 19164 sec (05:19:24)

Notes:
[4] File cannot be opened. It may be in use by another application or operating system.

[zer0nix]

err, whoops, neglect the "part 1" from the nod32 log. that's all there is

[zer0nix]

just noticed the 'attachments' function and decided to attach the spybot log, the nod32 log and a fresh hijackthis log i created after renaming the program hjt.exe

[zer0nix]

an update: it seems that the latest spybot update wiped away the fake.wget and bifrose.la infections but spybot is still detecting and terminating smitfraud-c in every game patch i try to run. antivirus programs are still picking up nothing; i even tried running nod32 in safe mode and it found nothing... can anyone help?

here is a fresh hijackthis log:

[zer0nix]

decided to try running smitfraudfix and followed the instructions here: http://forums.spybot.info/showthread.php?t=4015

still no success. the safemode spybot scan only picked up 6 tracking cookies and i'm not sure if smitfraudfix found anything; i've included below a smitfraudfix report, the log from the safemode spybot scan and a fresh hijackthis log after giving the program a new, less predictible name.

the symptoms of my infection are as so: whenever i try to install a game patch or mod from an install exe, teatimer/spybot detects smitfraud-c in the exe and terminates the process; essentially, i can't install patches or mods which is seriously hindering my gaming life. my antivirus/spyware programs pick up nothing... it seems like nothing is picking up anything! someone please help.

[illukka]

hi

9 posts in this thread, all by you.. i usually look for threads with 0 answers...



my first suggestion is to format the drive and reinstall windows

then i recommend these actions:
1) use a known secure computer to change all of your online passwords
2) contact your bank and credit card company for possible unauthorised transactions

more info can be found here:



How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

some further reading:

Security Management - May 2004
Help: I Got Hacked. Now What Do I Do?
http://www.microsoft.com/technet/community...gmt/sm0504.mspx

Security Management - July 2004
Help: I Got Hacked. Now What Do I Do? Part II
http://www.microsoft.com/technet/community...gmt/sm0704.mspx

and finally some more considerations:

When should I re-format? How should I reinstall?
http://www.dslreports.com/faq/10063

if you choose to format and reinstall see this link for instructions:
http://www.cyberwalker.net/faqs/how-...stall-faq.html

please let me know what you decide to do