Need supreme help with virtumonde

T

TheOnlyBigDog

Guest-has new account
I read several of the posts and used the fixes that were posted for removal. ie. sdfix, combofix, vundofix. It all seemed to be great until the next reboot. When it came back.... it brought with it a new virtumonde.dcc and a bunch of spyware/adware/hacktools. Below is the report from the last S&D scan:

--- Search result list ---
Microsoft.WindowsSecurityCenter.AntiVirusDisableNotify: Settings (Registry change, fixed)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusDisableNotify!=dword:0

Virtumonde: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1343024091-1123561945-839522115-1003\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-1343024091-1123561945-839522115-1003\Software\Microsoft\aldd

Virtumonde.ddc: Executable (File, nothing done)
C:\WINDOWS\system32\mscghmhk.exe

Virtumonde.ddc: Executable (File, nothing done)
C:\WINDOWS\system32\oovuhxhw.exe


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2007-10-03 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-11-28 Includes\Cookies.sbi (*)
2007-10-31 Includes\Dialer.sbi (*)
2007-11-28 Includes\DialerC.sbi (*)
2007-11-07 Includes\Hijackers.sbi (*)
2007-11-28 Includes\HijackersC.sbi (*)
2007-10-04 Includes\Keyloggers.sbi (*)
2007-11-28 Includes\KeyloggersC.sbi (*)
2007-11-07 Includes\Malware.sbi (*)
2007-11-28 Includes\MalwareC.sbi (*)
2007-10-24 Includes\PUPS.sbi (*)
2007-11-28 Includes\PUPSC.sbi (*)
2007-11-28 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-11-28 Includes\SecurityC.sbi (*)
2007-11-07 Includes\Spybots.sbi (*)
2007-11-28 Includes\SpybotsC.sbi (*)
2007-11-06 Includes\Tracks.uti
2007-11-28 Includes\Trojans.sbi (*)
2007-11-28 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll



--- System information ---
Windows XP (Build: 2600) Service Pack 2
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Hotfix (KB928366)
/ .NETFramework / 1.1: Microsoft .NET Framework 1.1 Service Pack 1 (KB867460)
/ MSXML4SP2: Security update for MSXML4 SP2 (KB936181)
/ Windows / SP1: Microsoft Internationalized Domain Names Mitigation APIs
/ Windows / SP1: Microsoft National Language Support Downlevel APIs
/ Windows Media Format 11 SDK: Hotfix for Windows Media Format 11 SDK (KB929399)
/ Windows Media Player 11: Security Update for Windows Media Player 11 (KB936782)
/ Windows Media Player 11: Hotfix for Windows Media Player 11 (KB939683)
/ Windows Media Player 6.4: Security Update for Windows Media Player 6.4 (KB925398)
/ Windows Media Player 9: Security Update for Windows Media Player 9 (KB936782)
/ Windows XP: Security Update for Windows XP (KB923689)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB938127)
/ Windows XP / SP0: Security Update for Windows Internet Explorer 7 (KB939653)
/ Windows XP / SP10: Microsoft Compression Client Pack 1.0 for Windows XP
/ Windows XP / SP3: Windows XP Hotfix - KB873339
/ Windows XP / SP3: Windows XP Hotfix - KB885835
/ Windows XP / SP3: Windows XP Hotfix - KB885836
/ Windows XP / SP3: Windows XP Hotfix - KB886185
/ Windows XP / SP3: Windows XP Hotfix - KB887472
/ Windows XP / SP3: High Definition Audio Driver Package - KB888111
/ Windows XP / SP3: Windows XP Hotfix - KB888302
/ Windows XP / SP3: Security Update for Windows XP (KB890046)
/ Windows XP / SP3: Windows XP Hotfix - KB890859
/ Windows XP / SP3: Windows XP Hotfix - KB891781
/ Windows XP / SP3: Security Update for Windows XP (KB893756)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Windows Installer 3.1 (KB893803)
/ Windows XP / SP3: Update for Windows XP (KB894391)
/ Windows XP / SP3: Security Update for Windows XP (KB896358)
/ Windows XP / SP3: Security Update for Windows XP (KB896423)
/ Windows XP / SP3: Security Update for Windows XP (KB896428)
/ Windows XP / SP3: Update for Windows XP (KB898461)
/ Windows XP / SP3: Security Update for Windows XP (KB899587)
/ Windows XP / SP3: Security Update for Windows XP (KB899591)
/ Windows XP / SP3: Update for Windows XP (KB900485)
/ Windows XP / SP3: Security Update for Windows XP (KB900725)
/ Windows XP / SP3: Security Update for Windows XP (KB901017)
/ Windows XP / SP3: Security Update for Windows XP (KB901214)
/ Windows XP / SP3: Security Update for Windows XP (KB902400)
/ Windows XP / SP3: Security Update for Windows XP (KB904706)
/ Windows XP / SP3: Update for Windows XP (KB904942)
/ Windows XP / SP3: Security Update for Windows XP (KB905414)
/ Windows XP / SP3: Security Update for Windows XP (KB905749)
/ Windows XP / SP3: Security Update for Windows XP (KB908519)
/ Windows XP / SP3: Update for Windows XP (KB908531)
/ Windows XP / SP3: Update for Windows XP (KB910437)
/ Windows XP / SP3: Update for Windows XP (KB911164)
/ Windows XP / SP3: Update for Windows XP (KB911280)
/ Windows XP / SP3: Security Update for Windows XP (KB911562)
/ Windows XP / SP3: Security Update for Windows XP (KB911927)
/ Windows XP / SP3: Security Update for Windows XP (KB913580)
/ Windows XP / SP3: Security Update for Windows XP (KB914388)
/ Windows XP / SP3: Security Update for Windows XP (KB914389)
/ Windows XP / SP3: Hotfix for Windows XP (KB914440)
/ Windows XP / SP3: Hotfix for Windows XP (KB915865)
/ Windows XP / SP3: Update for Windows XP (KB916595)
/ Windows XP / SP3: Security Update for Windows XP (KB917344)
/ Windows XP / SP3: Security Update for Windows XP (KB917953)
/ Windows XP / SP3: Security Update for Windows XP (KB918118)
/ Windows XP / SP3: Security Update for Windows XP (KB918439)
/ Windows XP / SP3: Security Update for Windows XP (KB919007)
/ Windows XP / SP3: Security Update for Windows XP (KB920213)
/ Windows XP / SP3: Security Update for Windows XP (KB920670)
/ Windows XP / SP3: Security Update for Windows XP (KB920683)
/ Windows XP / SP3: Security Update for Windows XP (KB920685)
/ Windows XP / SP3: Update for Windows XP (KB920872)
/ Windows XP / SP3: Security Update for Windows XP (KB921503)
/ Windows XP / SP3: Update for Windows XP (KB922582)
/ Windows XP / SP3: Security Update for Windows XP (KB922819)
/ Windows XP / SP3: Security Update for Windows XP (KB923191)
/ Windows XP / SP3: Security Update for Windows XP (KB923414)
/ Windows XP / SP3: Security Update for Windows XP (KB923980)
/ Windows XP / SP3: Security Update for Windows XP (KB924270)
/ Windows XP / SP3: Security Update for Windows XP (KB924496)
/ Windows XP / SP3: Security Update for Windows XP (KB924667)
/ Windows XP / SP3: Update for Windows XP (KB925720)
/ Windows XP / SP3: Security Update for Windows XP (KB925902)
/ Windows XP / SP3: Hotfix for Windows XP (KB926239)
/ Windows XP / SP3: Security Update for Windows XP (KB926255)
/ Windows XP / SP3: Security Update for Windows XP (KB926436)
/ Windows XP / SP3: Security Update for Windows XP (KB927779)
/ Windows XP / SP3: Security Update for Windows XP (KB927802)
/ Windows XP / SP3: Update for Windows XP (KB927891)
/ Windows XP / SP3: Security Update for Windows XP (KB928255)
/ Windows XP / SP3: Security Update for Windows XP (KB928843)
/ Windows XP / SP3: Security Update for Windows XP (KB929123)
/ Windows XP / SP3: Security Update for Windows XP (KB930178)
/ Windows XP / SP3: Update for Windows XP (KB930916)
/ Windows XP / SP3: Security Update for Windows XP (KB931261)
/ Windows XP / SP3: Security Update for Windows XP (KB931784)
/ Windows XP / SP3: Security Update for Windows XP (KB932168)
/ Windows XP / SP3: Update for Windows XP (KB933360)
/ Windows XP / SP3: Security Update for Windows XP (KB933729)
/ Windows XP / SP3: Security Update for Windows XP (KB935839)
/ Windows XP / SP3: Security Update for Windows XP (KB935840)
/ Windows XP / SP3: Security Update for Windows XP (KB936021)
/ Windows XP / SP3: Security Update for Windows XP (KB937143)
/ Windows XP / SP3: Security Update for Windows XP (KB938127)
/ Windows XP / SP3: Update for Windows XP (KB938828)
/ Windows XP / SP3: Security Update for Windows XP (KB938829)
/ Windows XP / SP3: Security Update for Windows XP (KB939653)
/ Windows XP / SP3: Security Update for Windows XP (KB941202)
/ Windows XP / SP3: Security Update for Windows XP (KB943460)
/ XML Paper Specification Shared Components Pack 1.0: XML Paper Specification Shared Components Pack 1.0
 
Hello TheOnlyBigDog

Welcome to Safer Networking.

Please read Before YouPost
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Download Trendmicros Hijackthis to your desktop.
Double click it to install
Follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe


This is important , do this and post a new Hijackthis log
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe<-- Right click on Hijackthis.exe ( looks like a man with a spyglass ) and rename it to Scanner.exe
Click to expand...


  • Open HJT Scan and Save a Log File, it will open in Notepad
  • Go to Format and make sure Wordwrap is Unchecked
  • Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread by using the Post Reply and not start a New Thread.
DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.
 
VIRTUMONDE & VIRTUMONDE.ddc

please help.... i've tried everything in several posts to remove this bad boy but to no avail. the last thing I tried was d/l kaspersky, but everytime I try it says I need an internet connection and I am constantly online. Please help. thanks, the BigDog
 
Last edited by a moderator:
TheOnlyBigDog

Reply to this thread only by using the Submit Reply and do not start a New Topic.

Follow the instructions that I posted please.

Ken :)
 
the requested log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:25:50 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ndt2.sys
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\Indt2.sys
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [7c6a15e3] rundll32.exe "C:\WINDOWS\system32\xubyhnpn.dll",b
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2e418709cb2e4b059d87d5fc7c556b13
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2e418709cb2e4b059d87d5fc7c556b13
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf2a6e3650t.jpg
O24 - Desktop Component 1: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf29ab9953t.jpg
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_images/maxmotorshow/4672068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exoticmotorcars/7LA02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34e9c0f67.jpg
O24 - Desktop Component 2: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b365dc52e4.jpg
O24 - Desktop Component 3: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33dc14c86.jpg
O24 - Desktop Component 4: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36abce3ad.jpg
O24 - Desktop Component 5: (no name) - http://www.lamborghiniclub.com/mur6403.jpg
O24 - Desktop Component 6: (no name) - http://img.gactv.com/GAC/2006/05/16/rebamcentire8_v_p.jpg
O24 - Desktop Component 7: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34a8ebc4c.jpg
O24 - Desktop Component 8: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b364329884.jpg
O24 - Desktop Component 9: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b3010da06d.jpg

--
End of file - 13423 bytes
 
Hello,

Glad that we finally hooked up. Everything we ask you to do is for a reason, the thieves that have written Vundo have written it to evade a HJT scan and by renaming it to something else, if Vundo is present on your system it will then show up on your log. You have not done that per my instructions. You have one marker on your log for Vundo but I am sure there are more.

You have more serious issues on this system besides Vundo.

You have a downloader trojan called Downloader.Agent.awf or Downloader.Agent.ayy. This trojan replaces legitimate files that are common on most computers with an infected file. It then moves the legitimate file to a "bak" or backup folder. Please follow the directions below to run FindAWF so we can identify the files that have been infected and the backups then restore them.


Please download FindAWF and save it to your desktop

  • * Double-click FindAWF.exe to start the tool.
    * Select option #1 - Scan for bak folders by typing 1 and press 'Enter'
    * When the tool has completed, a report will open up in notepad. Please post the results of the awf.txt here.

**Do not run any other option unless directed to do so.**


Post the AWF log and rename Hijackthis.
 
AWF file as asked for

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Sat 12/01/2007
The current time is: 21:19:45.81


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 12:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

09/27/2007 10:49 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 04:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/22/2007 06:30 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

04/22/2003 02:05 PM 94,208 CTDetect.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 12:00 AM 45,056 CTDVDDET.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

07/02/2003 09:03 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of D:\PROGRA~1\321STU~1\PLATINUM\BAK

10/28/2003 01:31 PM 0 makedir
1 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\Updreg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
111840 Oct 16 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Sep 27 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58488 Aug 13 2004 "C:\unzipped\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
58488 Aug 13 2004 "C:\Documents and Settings\BURNING ADDICTION\A BURNING ADDICTION\new documents\BRIAN\jayson\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
180269 Sep 22 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
102400 Dec 2 2004 "D:\PROGRAMS 2\Creative\MediaSource\Detector\CTDetect.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\bak\makedir"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\tdf\makedir.dir"


end of report
 
Double-click FindAWF.exe to start the tool.

* Select option #2 - Restore files from bak folders by typing 2 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\WINDOWS\bak\UpdReg.EXE
C:\Program Files\SymNetDrv\bak\SNDMon.exe
C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe
C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe
D:\PROGRAMS 2\321Studios\Platinum\bak\makedir
Click to expand...

* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt here.


Take your time, been a long day, be back in the AM,

Ken:)
 
Belo is the renamed hijackthis log file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:40:15 PM, on 12/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\YTBSDK.exe
C:\Program Files\Trend Micro\HijackThis\Scanner.exe.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: XTTBPos00 - {055FD26D-3A88-4e15-963D-DC8493744B1D} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0F63F801-8D5B-4CBB-ADF7-65108E8A976E} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} - C:\WINDOWS\system32\rqrqqqo.dll
O2 - BHO: {f0cb7835-fbbe-c8eb-b734-a358c0d80ef1} - {1fe08d0c-853a-437b-be8c-ebbf5387bc0f} - C:\WINDOWS\system32\cwycipsn.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {8B508EC3-EDAD-418C-8A17-DF7622C0D854} - \
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\PROGRA~1\ICQTOO~1\toolbaru.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [CTDVDDET] C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE
O4 - HKLM\..\Run: [SBDrvDet] C:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\WINDOWS\system32\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Elements 6.0\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [UVS11 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 11\uvPL.exe
O4 - HKLM\..\Run: [7c6a15e3] rundll32.exe "C:\WINDOWS\system32\xubyhnpn.dll",b
O4 - HKCU\..\Run: [Creative Detector] C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe /R
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?2e418709cb2e4b059d87d5fc7c556b13
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?2e418709cb2e4b059d87d5fc7c556b13
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6\ICQ.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager_dev/plugin/IEGetPlugin.ocx
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {FFBB3F3B-0A5A-4106-BE53-DFE1E2340CB1} (DownloadManager Control) - http://dlm.tools.akamai.com/dlmanager/versions/activex/dlm-activex-2.2.1.6.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: rqrqqqo - C:\WINDOWS\SYSTEM32\rqrqqqo.dll
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Capture Device Service - InterVideo Inc. - C:\Program Files\Common Files\InterVideo\DeviceService\DevSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: ForceWare Intelligent Application Manager (IAM) - Unknown owner - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcAppFlt.exe
O23 - Service: Forceware Web Interface (ForcewareWebInterface) - Apache Software Foundation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\Apache Group\Apache2\bin\apache.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: ForceWare IP service (nSvcIp) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcIp.exe
O23 - Service: ForceWare user log service (nSvcLog) - NVIDIA Corporation - C:\Program Files\NVIDIA Corporation\NetworkAccessManager\bin\nSvcLog.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O24 - Desktop Component 0: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf2a6e3650t.jpg
O24 - Desktop Component 1: (no name) - http://images.stage6.com/channel_images/divachannel/46dbf29ab9953t.jpg
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_images/maxmotorshow/46720a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_images/maxmotorshow/4672068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exoticmotorcars/7LA02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34e9c0f67.jpg
O24 - Desktop Component 2: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b365dc52e4.jpg
O24 - Desktop Component 3: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b33dc14c86.jpg
O24 - Desktop Component 4: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b36abce3ad.jpg
O24 - Desktop Component 5: (no name) - http://www.lamborghiniclub.com/mur6403.jpg
O24 - Desktop Component 6: (no name) - http://img.gactv.com/GAC/2006/05/16/rebamcentire8_v_p.jpg
O24 - Desktop Component 7: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b34a8ebc4c.jpg
O24 - Desktop Component 8: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b364329884.jpg
O24 - Desktop Component 9: (no name) - http://images.stage6.com/channel_images/maxmotorshow/467b3010da06d.jpg

--
End of file - 15092 bytes
 
You do have a bunch of Vundo entries, we will tackle that after we finish up with the AWF program. You also have a backdoor trojan along with a couple of other nasties. Outside of posting here I would recommend staying off the internet until we give you the all clear.
 
Here is the 2nd AWF report

Find AWF report by noahdfear ©2006
Version 1.40
Option 2 run successfully

The current date is: Sat 12/01/2007
The current time is: 21:44:07.87


bak folders found
~~~~~~~~~~~


Directory of C:\WINDOWS\BAK

05/11/2000 12:00 AM 90,112 UpdReg.EXE
1 File(s) 90,112 bytes

Directory of C:\PROGRA~1\SYMNET~1\BAK

09/27/2007 10:49 PM 100,056 SNDMon.exe
1 File(s) 100,056 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

01/09/2007 04:32 PM 58,984 ccApp.exe
1 File(s) 58,984 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/22/2007 06:30 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\CREATIVE\MEDIAS~1\DETECTOR\BAK

04/22/2003 02:05 PM 94,208 CTDetect.exe
1 File(s) 94,208 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\DVDAUDIO\BAK

06/18/2003 12:00 AM 45,056 CTDVDDET.EXE
1 File(s) 45,056 bytes

Directory of C:\PROGRA~1\CREATIVE\SBAUDI~1\SURROU~1\BAK

07/02/2003 09:03 AM 57,344 CTSysVol.exe
1 File(s) 57,344 bytes

Directory of D:\PROGRA~1\321STU~1\PLATINUM\BAK

10/28/2003 01:31 PM 0 makedir
1 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

90112 May 11 2000 "C:\WINDOWS\UpdReg.EXE"
90112 May 11 2000 "C:\WINDOWS\bak\UpdReg.EXE"
111840 Oct 16 2007 "C:\Program Files\SymNetDrv\SNDMon.exe"
100056 Sep 27 2007 "C:\Program Files\SymNetDrv\bak\SNDMon.exe"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\CCAPP.EXE"
58984 Jan 9 2007 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
58488 Aug 13 2004 "C:\unzipped\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
58488 Aug 13 2004 "C:\Documents and Settings\BURNING ADDICTION\A BURNING ADDICTION\new documents\BRIAN\jayson\Norton Antivirus 2005 + Keygen\Norton Antivirus 2005\SUPPORT\CCCOMMON\CCCOMMON\CCAPP.EXE"
180269 Sep 22 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\CTDetect.exe"
94208 Apr 22 2003 "C:\Program Files\Creative\MediaSource\Detector\bak\CTDetect.exe"
102400 Dec 2 2004 "D:\PROGRAMS 2\Creative\MediaSource\Detector\CTDetect.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.exe"
45056 Jun 18 2003 "C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak\CTDVDDET.EXE"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe"
57344 Jul 2 2003 "C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak\CTSysVol.exe"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\bak\makedir"
0 Oct 28 2003 "D:\PROGRAMS 2\321Studios\Platinum\tdf\makedir.dir"


end of report








P.S. what time in the A.M., so I can be sure to be on when you get here?
 
thank you in advance for all your hard work.

thanks... and hit me up with a time so i can just log off and we will hook back up in the A.M.... that is of course if you would choose to do it then.... anytime is good for me
 
Double-click FindAWF.exe to start the tool.

* Select option #3 - Remove bak folders by typing 3 and press 'Enter'
* A text file will open up. Please copy/paste the following bolded text into the text file:

C:\WINDOWS\bak
C:\Program Files\SymNetDrv\bak
C:\Program Files\Common Files\Symantec Shared\bak
C:\Program Files\Common Files\Real\Update_OB\bak
C:\Program Files\Creative\MediaSource\Detector\bak
C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\bak
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\bak
D:\PROGRAMS 2\321Studios\Platinum\bak


* Close the .txt file and click 'Yes' to save the changes.
* When the tool has completed, a report will open up in notepad.

Please post the results of the awf.txt in your next reply
 
Awf#3 Report

Find AWF report by noahdfear ©2006
Version 1.40
Option 3 run successfully

The current date is: Sun 12/02/2007
The current time is: 10:49:12.75


bak folders found
~~~~~~~~~~~


Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

0 File(s) 0 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~



end of report
 
Great :bigthumb: We are ready to move on.

First let me point out this this program is not malicious but is advertising related so its your call to uninstall it or not.

http://www.superadblocker.com/definition/palstart/
C:\Program Files\Paltalk Messenger


There is going to be a lot to do, you may want to print this out and keep it handy. We are going to run a few scans to start the removal of this garbage, I need to see all the reports, they most likely will not fit in one reply so take 2 or more replies to post them all.


Download: DelDomains and save it to the desktop.
  • Close all open windows and your browser
  • Right Click DelDomains.inf and select > Install
  • Reboot your computer




We need to make sure all hidden files are showing :
  • Click Start.
  • Open My Computer.
  • Select the Tools menu and click Folder Options.
  • Select the View tab.
  • Under the Hidden files and folders heading select Show hidden files and folders.
  • Uncheck the Hide file extensions for known types option.
  • Uncheck the Hide protected operating system files (recommended) option.
  • Click Yes to confirm.
  • Click OK.
Once your system is clean, we suggest that you reverse this to keep critical windows files from accidently being deleted.



Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

O2 - BHO: (no name) - {0F63F801-8D5B-4CBB-ADF7-65108E8A976E} - C:\WINDOWS\system32\vtuts.dll
O2 - BHO: (no name) - {1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE} -

C:\WINDOWS\system32\rqrqqqo.dll
O2 - BHO: {f0cb7835-fbbe-c8eb-b734-a358c0d80ef1} - {1fe08d0c-853a-437b-be8c-ebbf5387bc0f} -

C:\WINDOWS\system32\cwycipsn.dll
O2 - BHO: (no name) - {8B508EC3-EDAD-418C-8A17-DF7622C0D854} - \

O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [7c6a15e3] rundll32.exe "C:\WINDOWS\system32\xubyhnpn.dll",b

Remove this only if you have uninstalled Paltalk
O9 - Extra button: PalTalk - {4EAFEF58-EEFA-4116-983D-03B49BCBFFFE} - C:\Program Files\Paltalk Messenger\Paltalk.exe

O20 - Winlogon Notify: rqrqqqo - C:\WINDOWS\SYSTEM32\rqrqqqo.dll

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe

I don't know what these are and I am not clicking on the link to find out
O24 - Desktop Component 0: (no name) - http://images.stage6.com/channel_ima...f2a6e3650t.jpg
O24 - Desktop Component 1: (no name) - http://images.stage6.com/channel_ima...f29ab9953t.jpg
O24 - Desktop Component 10: (no name) - http://images.stage6.com/channel_ima...20ef233bff.jpg
O24 - Desktop Component 11: (no name) - http://images.stage6.com/channel_ima...b36e8512c8.jpg
O24 - Desktop Component 12: (no name) - http://images.stage6.com/channel_ima...20a92b6691.jpg
O24 - Desktop Component 13: (no name) - http://images.stage6.com/channel_ima...b33b447f6e.jpg
O24 - Desktop Component 14: (no name) - http://images.stage6.com/channel_ima...b339a15c77.jpg
O24 - Desktop Component 15: (no name) - http://images.stage6.com/channel_ima...2068ba93f5.jpg
O24 - Desktop Component 16: (no name) - http://www.carstickerpro.com/~exotic...02176-16sm.jpg
O24 - Desktop Component 17: (no name) - http://images.stage6.com/channel_ima...b361f24f0b.jpg
O24 - Desktop Component 18: (no name) - http://images.stage6.com/channel_ima...b34e9c0f67.jpg
O24 - Desktop Component 2: (no name) - http://images.stage6.com/channel_ima...b365dc52e4.jpg
O24 - Desktop Component 3: (no name) - http://images.stage6.com/channel_ima...b33dc14c86.jpg
O24 - Desktop Component 4: (no name) - http://images.stage6.com/channel_ima...b36abce3ad.jpg
O24 - Desktop Component 5: (no name) - http://www.lamborghiniclub.com/mur6403.jpg
O24 - Desktop Component 6: (no name) - http://img.gactv.com/GAC/2006/05/16/...ntire8_v_p.jpg
O24 - Desktop Component 7: (no name) - http://images.stage6.com/channel_ima...b34a8ebc4c.jpg
O24 - Desktop Component 8: (no name) - http://images.stage6.com/channel_ima...b364329884.jpg
O24 - Desktop Component 9: (no name) - http://images.stage6.com/channel_ima...b3010da06d.jpg


Delete the files in Red
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\cwycipsn.dll




Download VundoFix to your desktop

  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Please download SuperAntiSpyware
Install the program
  • Run SuperAntiSpyware and click: Check for updates
  • Once the update is finished, on the main screen, click: Scan your computer
  • Check: Perform Complete Scan
  • Click Next to start the scan.
Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Then, click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
  • Click: Preferences
  • Click the Statistics/Logs tab
  • Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please provide the SuperAntiSpyware log in your reply, as well as a new HijackThis log.



Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Let me see ....

1. Vundofix log
2. SAS log.
3. Combofix log
3. New HJT log
 
Last edited:
vundofix log as requested

VundoFix V6.6.2

Checking Java version...

Scan started at 1:22:07 PM 12/2/2007

Listing files found while scanning....

C:\windows\system32\paxcqdog.exe

Beginning removal...

Attempting to delete C:\windows\system32\paxcqdog.exe
C:\windows\system32\paxcqdog.exe Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.6.2

Checking Java version...

Scan started at 1:38:06 PM 12/2/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...
 
SAS log as requested

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/02/2007 at 02:31 PM

Application Version : 3.9.1008

Core Rules Database Version : 3353
Trace Rules Database Version: 1352

Scan type : Complete Scan
Total Scan Time : 00:33:07

Memory items scanned : 400
Memory threats detected : 5
Registry items scanned : 8520
Registry threats detected : 14
File items scanned : 49094
File threats detected : 62

Adware.Vundo-Variant/Small
C:\WINDOWS\SYSTEM32\RQRQQQO.DLL
C:\WINDOWS\SYSTEM32\RQRQQQO.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}
HKCR\CLSID\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}
HKCR\CLSID\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}\InprocServer32
HKCR\CLSID\{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{1A589AA6-EDDD-4552-AB9A-4EDFF5CDD7DE}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\rqrqqqo
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071202-133447-544.DLL
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071202-133745-421.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\VTUTS.DLL
C:\WINDOWS\SYSTEM32\VTUTS.DLL
HKLM\Software\Classes\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}
HKCR\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}
HKCR\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}\InprocServer32
HKCR\CLSID\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6C0D1D5D-5D38-4A55-AD9F-CDD4F0179309}

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\PERFS.EXE
C:\WINDOWS\SYSTEM32\PERFS.EXE
HKLM\System\ControlSet001\Services\perfmons
HKLM\System\ControlSet002\Services\perfmons
HKLM\System\CurrentControlSet\Services\perfmons
C:\WINDOWS\SYSTEM32\NDT.SYS

Rootkit.NDT2
C:\WINDOWS\SYSTEM32\NDT2.SYS
C:\WINDOWS\SYSTEM32\NDT2.SYS
C:\WINDOWS\Prefetch\NDT2.SYS-22AAAB91.pf

Trojan.Downloader-Gen/INDT2
C:\WINDOWS\SYSTEM32\INDT2.SYS
C:\WINDOWS\SYSTEM32\INDT2.SYS
C:\WINDOWS\Prefetch\INDT2.SYS-3A706AA7.pf

Adware.Tracking Cookie
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@atdmt[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adultfriendfinder[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@login.tracking101[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@richmedia.yahoo[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@www.epilot[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adbrite[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@networksolutions.112.2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@crack.serial.cracks[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@hornymatches[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ads.revsci[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tagiq.clickforensics[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ads.auctionads[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@trafficmp[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ads.pointroll[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@revsci[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@videoegg.adbureau[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@cracks[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adinterax[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@realmedia[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@4.adbrite[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@specificclick[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@electronicarts.112.2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tacoda[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@heavycom.122.2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@advertising[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@www.levelclick[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@yadro[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@2o7[3].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@adopt.specificclick[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@2o7[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@ehg-pcsecurityshield.hitbox[1].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@hitbox[2].txt
C:\Documents and Settings\BURNING ADDICTION\Cookies\burning_addiction@tagiq.clickforensics[2].txt
C:\Documents and Settings\NetworkService\Cookies\system@advertising[1].txt
C:\Documents and Settings\NetworkService\Cookies\system@fastclick[2].txt

Adware.Vundo-Variant/Small-A
C:\PROGRAM FILES\TREND MICRO\HIJACKTHIS\BACKUPS\BACKUP-20071202-133447-337.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001189.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001441.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001444.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001445.DLL
C:\WINDOWS\SYSTEM32\CWYCIPSN.DLL
C:\WINDOWS\SYSTEM32\MTAGJVJB.DLL

Trojan.Downloader-Gen/TaLDrv
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\M8\NSTS2DLL1.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP2\A0000011.EXE

Adware.Vundo/Traff-2
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP11\A0001615.EXE
C:\VUNDOFIX BACKUPS\PAXCQDOG.EXE.BAD

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP2\A0000016.DLL

Trojan.Downloader-Gen/DDC
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP4\A0000763.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP4\A0000764.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001194.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{5A3EE6B5-B90C-421D-947A-28025705C782}\RP8\A0001443.EXE
 
Combofix Log as requested pt1

ComboFix 07-11-19.4 - BURNING ADDICTION 2007-12-02 14:38:03.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1561 [GMT -8:00]
Running from: C:\Documents and Settings\BURNING ADDICTION\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-02 to 2007-12-02 )))))))))))))))))))))))))))))))
.

2007-12-02 13:42 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-12-02 13:42 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\SUPERAntiSpyware.com
2007-12-02 13:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-02 13:22 <DIR> d-------- C:\VundoFix Backups
2007-12-01 18:00 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-01 16:46 0 --a------ C:\WINDOWS\system32\npnhybux.tmp
2007-12-01 04:20 441,495 --ahs---- C:\WINDOWS\system32\stutv.ini2
2007-12-01 04:20 441,495 --ahs---- C:\WINDOWS\system32\stutv.ini
2007-11-30 20:22 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-30 11:23 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-30 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-30 11:17 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-30 10:00 2,654,789 ---hs---- C:\WINDOWS\system32\npnhybux.ini
2007-11-29 19:48 <DIR> d-------- C:\Program Files\Windows Live Favorites
2007-11-29 15:32 <DIR> d-------- C:\Program Files\Magic Video Studio
2007-11-29 15:32 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Vso
2007-11-29 15:32 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-11-29 15:32 314,368 --a------ C:\WINDOWS\system32\avisynth.dll
2007-11-29 15:32 81,920 --a------ C:\Documents and Settings\BURNING ADDICTION\Application Data\ezpinst.exe
2007-11-29 15:32 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-11-29 15:32 47,360 --a------ C:\Documents and Settings\BURNING ADDICTION\Application Data\pcouffin.sys
2007-11-29 15:22 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2007-11-29 15:22 <DIR> d-------- C:\Program Files\ACD Systems
2007-11-29 15:22 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\ACD Systems
2007-11-29 14:38 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2007-11-29 14:37 <DIR> d-------- C:\Documents and Settings\NetworkService\Application Data\ICQ Toolbar
2007-11-29 14:08 <DIR> d-------- C:\Program Files\Common Files\InterVideo
2007-11-29 14:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\InterVideo
2007-11-29 14:08 210,456 --a------ C:\WINDOWS\system32\IVIresizeW7.dll
2007-11-29 14:08 206,360 --a------ C:\WINDOWS\system32\IVIresizeA6.dll
2007-11-29 14:08 198,168 --a------ C:\WINDOWS\system32\IVIresizeP6.dll
2007-11-29 14:08 198,168 --a------ C:\WINDOWS\system32\IVIresizeM6.dll
2007-11-29 14:08 194,072 --a------ C:\WINDOWS\system32\IVIresizePX.dll
2007-11-29 14:08 26,136 --a------ C:\WINDOWS\system32\IVIresize.dll
2007-11-29 14:07 <DIR> d-------- C:\Program Files\Windows Media Components
2007-11-29 01:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DLSZMJGIYG
2007-11-28 12:21 2,028,042 ---hs---- C:\WINDOWS\system32\ujcxrjkp.ini
2007-11-27 11:32 <DIR> d-------- C:\garbage
2007-11-27 10:27 <DIR> d-------- C:\Temp
2007-11-27 09:36 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-11-27 08:24 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-27 08:24 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-27 08:24 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-27 08:24 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-27 08:24 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-27 08:24 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-27 08:24 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-27 08:24 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-27 08:24 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-27 01:29 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-11-26 22:32 <DIR> d-------- C:\Program Files\Deskshare
2007-11-26 22:10 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Download Manager
2007-11-26 22:10 1,085,520 --a------ C:\PRE4_TB_WWEFGJ.exe
2007-11-26 21:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-26 21:37 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-11-26 21:37 258,352 --a------ C:\WINDOWS\system32\Unicows.dll
2007-11-25 20:43 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Nero
2007-11-23 16:54 <DIR> d-------- C:\Program Files\InterActual
2007-11-18 14:01 7 --a------ C:\WINDOWS\system32\hoghslots.reg
2007-11-17 01:38 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Sonic
2007-11-17 01:34 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Leadertech
2007-11-17 01:16 <DIR> d-------- C:\Program Files\Aimersoft
2007-11-13 14:21 <DIR> d-------- C:\rec
2007-11-13 10:19 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\Application Data\Nitrogen
2007-11-06 18:11 748,000 --a------ C:\WINDOWS\system32\#store3.rst
2007-11-05 21:26 <DIR> d-------- C:\Program Files\Codec Pack - All In 1
2007-11-05 19:53 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\JAPANESE DVD
2007-11-05 19:32 <DIR> d-------- C:\Documents and Settings\BURNING ADDICTION\DOCS
2007-11-05 11:41 <DIR> d-------- C:\Program Files\321Studios
2007-11-05 11:38 <DIR> d-------- C:\Program Files\Cucusoft
2007-11-04 17:12 <DIR> d-------- C:\iSofterOutput
2007-11-04 17:01 <DIR> d-------- C:\Program Files\iSofter
2007-11-04 17:01 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2007-11-04 17:01 716,800 --a------ C:\WINDOWS\system32\lameACM.acm
2007-11-04 17:01 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2007-11-04 17:01 45,056 --a------ C:\WINDOWS\system32\wnaspi32.dll
2007-11-04 17:01 16,512 --a------ C:\WINDOWS\system32\drivers\aspi32.sys
2007-11-04 17:01 414 --a------ C:\WINDOWS\system32\lame_acm.xml
2007-11-03 19:24 <DIR> d--hs---- C:\Documents and Settings\NetworkService\UserData

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-02 21:31 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-12-02 20:50 --------- d-----w C:\Program Files\Paltalk Messenger
2007-12-02 20:50 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Paltalk
2007-12-02 18:49 --------- d-----w C:\Program Files\SymNetDrv
2007-12-02 03:47 --------- d-----w C:\Program Files\ICQToolbar
2007-12-01 01:30 --------- d-----w C:\Program Files\Norton AntiVirus
2007-11-30 03:48 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-29 22:56 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Ulead Systems
2007-11-29 22:43 488 ---ha-r C:\2syttodxas.sys
2007-11-29 22:43 --------- d-----w C:\Program Files\Sax & Dottys Show Hoster
2007-11-29 22:08 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-29 22:07 --------- d-----w C:\Program Files\Ulead Systems
2007-11-29 22:07 --------- d-----w C:\Program Files\Common Files\Ulead Systems
2007-11-29 20:35 --------- d-----w C:\Program Files\MP3 WAV Converter
2007-11-29 18:29 --------- d-----w C:\Program Files\Winamp
2007-11-29 14:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-29 11:15 --------- d-----w C:\Program Files\The Cleaner
2007-11-29 09:13 --------- d-----w C:\Program Files\BadgeHelp
2007-11-27 17:24 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-27 05:53 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\LimeWire
2007-11-27 00:02 --------- d-----w C:\Program Files\Kjpro
2007-11-26 21:18 --------- d-----w C:\Program Files\Sax & Dottys Karaoke Zip Player
2007-11-26 20:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-26 04:42 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2007-11-18 20:50 --------- d-----w C:\Program Files\Access 97 Runtime
2007-11-13 19:16 --------- d-----w C:\Program Files\NetworkActiv AUTAPF 1.0
2007-11-13 19:15 --------- d-----w C:\Program Files\Micro Technology Unlimited
2007-11-07 06:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-11-06 05:25 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-10-31 08:00 --------- d-----w C:\Program Files\AtomixMP3
2007-10-31 06:10 --------- d-----w C:\Program Files\BitComet
2007-10-31 02:16 --------- d-----w C:\Program Files\MixUp
2007-10-30 23:28 --------- d-----w C:\Program Files\CDGFix Demo
2007-10-30 19:15 --------- d-----w C:\Program Files\Emission
2007-10-30 18:53 --------- d-----w C:\Program Files\PhotoViz
2007-10-29 05:10 --------- d-----w C:\Program Files\Symantec
2007-10-29 03:18 4,608 ----a-w C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-10-29 02:55 --------- d-----w C:\Program Files\Creative
2007-10-29 02:54 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-10-29 02:54 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-10-29 02:16 --------- d-----w C:\Program Files\Fichiers communs
2007-10-29 01:59 --------- d-----w C:\Documents and Settings\All Users\Application Data\DigiOn
2007-10-29 01:50 --------- d-----w C:\Program Files\Phonotron 1
2007-10-29 00:39 --------- d-----w C:\Program Files\Karaoke Go Round
2007-10-29 00:39 --------- d-----w C:\Program Files\Karaoke-Go-Round3
2007-10-29 00:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee
2007-10-29 00:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2007-10-25 04:15 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Roxio
2007-10-24 22:54 --------- d-----w C:\Program Files\Karasoft
2007-10-20 09:29 --------- d-----w C:\Program Files\VirtualDJ
2007-10-20 09:04 --------- d-----w C:\Program Files\Reallusion
2007-10-20 09:04 --------- d-----w C:\Program Files\Common Files\Reallusion
2007-10-20 09:04 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Reallusion
2007-10-20 09:04 --------- d-----w C:\Documents and Settings\All Users\Application Data\Reallusion
2007-10-20 08:37 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-19 09:26 --------- d-----w C:\Program Files\OTS
2007-10-19 08:42 --------- d-----w C:\Program Files\CDG Ripper
2007-10-19 08:29 --------- d-----w C:\Program Files\ProCDG
2007-10-19 08:26 73,216 ----a-w C:\WINDOWS\ST6UNST.EXE
2007-10-19 08:26 249,856 ------w C:\WINDOWS\Setup1.exe
2007-10-18 10:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-10-16 19:24 --------- d-----w C:\Program Files\Common Files\Borland Shared
2007-10-16 19:24 --------- d-----w C:\Program Files\CD+G AutoName
2007-10-16 19:18 --------- d-----w C:\Program Files\Eraser
2007-10-16 18:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-16 10:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2007-10-16 03:48 --------- d-----w C:\Program Files\Sierra On-Line
2007-10-16 03:38 --------- d-----w C:\Program Files\DIFX
2007-10-15 08:03 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\TERMINAL Studio
2007-10-14 02:48 --------- d-----w C:\Program Files\iWin.com Games
2007-10-13 09:20 77,824 ----a-w C:\WINDOWS\zipexe_r.exe
2007-10-13 09:20 14,807,040 ----a-w C:\VirtualAssistant.exe
2007-10-13 09:20 --------- d-----w C:\Program Files\Virtual Assistant
2007-10-13 09:17 --------- d-----w C:\Program Files\EMBARQ
2007-10-13 09:17 --------- d-----w C:\Program Files\Common Files\Motive
2007-10-13 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Motive
2007-10-12 18:17 --------- d-----w C:\Program Files\PFConfig
2007-10-11 02:18 --------- d-----w C:\Program Files\Logitech
2007-10-11 00:30 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-10 07:53 --------- d-----w C:\Program Files\Common Files\Logitech
2007-10-10 07:51 --------- d-----w C:\Program Files\HellFIRE Screensaver
2007-10-10 03:17 0 ----a-w C:\PROGRAM1.DAT
2007-10-10 02:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Windows Live Toolbar
2007-10-10 02:16 --------- d-----w C:\Program Files\MSN Messenger
2007-10-10 00:03 21 ----a-w C:\Program Files\Common Files\appop.log
2007-10-09 05:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2007-10-09 05:18 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-10-07 07:28 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Ahead
2007-10-06 23:59 --------- d-----w C:\Program Files\Desktop Architect
2007-10-06 23:01 2,846,188 ----a-w C:\WINDOWS\system32\Its Cold Outside.scr
2007-10-06 23:00 2,882,910 ----a-w C:\WINDOWS\system32\Moon Circle1.scr
2007-10-06 22:36 --------- d-----w C:\Program Files\Plus!
2007-10-06 08:21 --------- d-----w C:\Program Files\3D Space Tour
2007-10-06 07:48 --------- d-----w C:\Program Files\Astro Gemini Software
2007-10-06 07:47 --------- d-----w C:\Program Files\3D Formula 1 Screensaver
2007-10-06 06:32 --------- d-----w C:\Documents and Settings\BURNING ADDICTION\Application Data\Astro Gemini Software
2007-10-06 05:46 --------- d-----w C:\Program Files\Fish Aquarium 3D Screensaver
2007-10-06 01:59 640,512 ----a-w C:\WINDOWS\system32\ad2mcmpgdec.dll
2007-10-06 01:59 434,176 ----a-w C:\WINDOWS\system32\ad2mpegin.dll
2007-10-05 23:35 --------- d-----w C:\Program Files\Insaniquarium Deluxe
.

((((((((((((((((((((((((((((( snapshot_2007-11-30_18.04.45.64 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-30 18:45:11 8,667,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
+ 2007-12-02 02:04:49 8,667,136 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\ntuser.dat
- 2007-11-30 18:45:11 188,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-02 02:04:49 188,416 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-12-02 21:42:29 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-12-02 21:42:29 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-12-02 21:42:29 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-10-11 22:12:48 1,468,968 ------w C:\WINDOWS\system32\LegitCheckControl.dll
+ 2007-07-27 23:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 23:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 04:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 21:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-03 02:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-03 02:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-09 00:30:12 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 19:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
- 2006-09-26 00:58:48 14,640 ----a-w C:\WINDOWS\system32\spmsg.dll
+ 2007-10-08 22:46:18 14,640 ------w C:\WINDOWS\system32\spmsg.dll
 
You must log in or register to reply here.
Back
Top