various malware problems

I

ilikefood

New member
hello, my computer has been the victim of malware infections for a while now. im not quite sure what they might be exactly. however, it was all brought to my attention when i restarted the computer and my display settings have been changed. to be specific, the screen resolution has been adjusted to 800 by 600 pixels and the color quality has been changed to the lowest(4 bit). i cannot change them back. additionally, pop-ups randomly appear.

also, as instructed by the "before you post" thread, i have run spybot S&D in safe mode and in normal settings. both show no infections of any type. i have updated windows and i have not been able to run an online scanner. i have firefox and the only scanner i saw available was one for internet explorer.

thanks in advance.

here's my HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:02:33 PM, on 7/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\qwerty12.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\tmrsrv32.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\ohlnbhcA.exe
C:\WINDOWS\system32\twinkpdt.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {192c9d05-3566-4796-99d0-29a4f5f9b0cf} - C:\WINDOWS\system32\gdi3svc.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {6FCAEC98-136E-4C67-B2CA-D793FE08A21C} - C:\Program Files\MSN Gaming Zone\wofe83122.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {858CC303-6FD4-4216-8B76-143714271D9E} - \
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ohlnbhcA] C:\WINDOWS\ohlnbhcA.exe
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\twinkpdt.exe SKY003
O4 - HKLM\..\Run: [{71-1B-B2-2B-ZN}] C:\windows\system32\ojdsregp.exe SKY003
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINDOWS\jkkihi.dll",realset
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\system32\ojdsregp.exe SKY003
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\ojdsregp.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\rlls.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149879949299
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149879923001
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: c:\windows\system32\urqponl.dll
O20 - Winlogon Notify: gdi3svc - C:\WINDOWS\SYSTEM32\gdi3svc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qwerty12.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
Hi and welcome to the forums. :)
I'm Markka and I will be helping you with your malware issues.

I'll check your HijackThis log. Right now I'm MRU Undergrad, everything that I post to you must be checked by
teachers of Malware Removal University.
Please be patient. :)
 
Hello :)

A malicious .DLL file is disrupting the LSP chain on your computer. We need to get rid of it:
  • Please download LSPFix from here.
  • Run the LSPFix.exe that you have just finished downloading.
  • Check the I know what I'm doing box.
  • In the Keep box you should see one or more instances of rlls.dll
  • Select every instance of rlls.dll and move each one to the Remove box by clicking the >> button.
  • When you are done click Finish>>
_____________________________

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!
__________________________

Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt
 
hello

thank you for taking time to assist me.

here are the requested materials.


HJT log

Logfile of HijackThis v1.99.1
Scan saved at 10:15:02 AM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {858CC303-6FD4-4216-8B76-143714271D9E} - \
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149879949299
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149879923001
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: c:\windows\system32\urqponl.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
 
here is my combofix log.
i have to cut it in two parts because it is too long for one post.

"Owner" - 2007-07-25 9:51:23 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\tmp10F.tmp.dll
C:\WINDOWS\system32\tmp13.tmp.dll
C:\WINDOWS\system32\tmp1B8.tmp.dll
C:\WINDOWS\system32\urqponl.dll
C:\WINDOWS\awtsqq.dll
C:\WINDOWS\awtuut.dll
C:\WINDOWS\awuvtq.dll
C:\WINDOWS\awwtss.dll
C:\WINDOWS\awwwtt.dll
C:\WINDOWS\awwwwt.dll
C:\WINDOWS\byvtus.dll
C:\WINDOWS\bywuvt.dll
C:\WINDOWS\byyvvs.dll
C:\WINDOWS\byyyxw.dll
C:\WINDOWS\cbbbcy.dll
C:\WINDOWS\cbxuut.dll
C:\WINDOWS\cbxvus.dll
C:\WINDOWS\cbxxwt.dll
C:\WINDOWS\cbxyxx.dll
C:\WINDOWS\cbywvs.dll
C:\WINDOWS\cbyxwx.dll
C:\WINDOWS\cbyyay.dll
C:\WINDOWS\ddabaa.dll
C:\WINDOWS\ddabby.dll
C:\WINDOWS\ddabcb.dll
C:\WINDOWS\ddawtu.dll
C:\WINDOWS\ddawww.dll
C:\WINDOWS\ddaxya.dll
C:\WINDOWS\ddaywu.dll
C:\WINDOWS\ddbawt.dll
C:\WINDOWS\ddbcyy.dll
C:\WINDOWS\ddbxwv.dll
C:\WINDOWS\dddaaw.dll
C:\WINDOWS\dddayw.dll
C:\WINDOWS\dddcay.dll
C:\WINDOWS\dddefd.dll
C:\WINDOWS\dddefe.dll
C:\WINDOWS\efcdaa.dll
C:\WINDOWS\efcywt.dll
C:\WINDOWS\efcywu.dll
C:\WINDOWS\efdcba.dll
C:\WINDOWS\efddeb.dll
C:\WINDOWS\effdeb.dll
C:\WINDOWS\fcbbyx.dll
C:\WINDOWS\fccaby.dll
C:\WINDOWS\fcccbb.dll
C:\WINDOWS\fccddb.dll
C:\WINDOWS\fcyaya.dll
C:\WINDOWS\fcyyxu.dll
C:\WINDOWS\fcyyyw.dll
C:\WINDOWS\geddcb.dll
C:\WINDOWS\gedded.dll
C:\WINDOWS\geecbb.dll
C:\WINDOWS\geeeef.dll
C:\WINDOWS\hgdaxy.dll
C:\WINDOWS\hgdbbc.dll
C:\WINDOWS\hgdbbx.dll
C:\WINDOWS\hgdbby.dll
C:\WINDOWS\hgfcab.dll
C:\WINDOWS\hgfdbb.dll
C:\WINDOWS\hgfdca.dll
C:\WINDOWS\hgfebc.dll
C:\WINDOWS\hgfggh.dll
C:\WINDOWS\hggddc.dll
C:\WINDOWS\hggeda.dll
C:\WINDOWS\hgghec.dll
C:\WINDOWS\hgghif.dll
C:\WINDOWS\iifedd.dll
C:\WINDOWS\iihfgf.dll
C:\WINDOWS\iihhgd.dll
C:\WINDOWS\iiighh.dll
C:\WINDOWS\iiihhg.dll
C:\WINDOWS\iiiigd.dll
C:\WINDOWS\jkhebx.dll
C:\WINDOWS\jkhecb.dll
C:\WINDOWS\jkhfdc.dll
C:\WINDOWS\jkhfef.dll
C:\WINDOWS\jkhgfg.dll
C:\WINDOWS\jkjjgd.dll
C:\WINDOWS\jkkhfd.dll
C:\WINDOWS\jkkiff.dll
C:\WINDOWS\jkkige.dll
C:\WINDOWS\jkkjhh.dll
C:\WINDOWS\jkkjih.dll
C:\WINDOWS\jkkklk.dll
C:\WINDOWS\kheefg.dll
C:\WINDOWS\khefca.dll
C:\WINDOWS\khgecb.dll
C:\WINDOWS\khggef.dll
C:\WINDOWS\khiiii.dll
C:\WINDOWS\ljgefd.dll
C:\WINDOWS\ljggfc.dll
C:\WINDOWS\ljgghf.dll
C:\WINDOWS\ljifef.dll
C:\WINDOWS\ljifge.dll
C:\WINDOWS\ljihig.dll
C:\WINDOWS\ljijij.dll
C:\WINDOWS\ljkhed.dll
C:\WINDOWS\mlifcd.dll
C:\WINDOWS\mlihec.dll
C:\WINDOWS\mlihgg.dll
C:\WINDOWS\mliigh.dll
C:\WINDOWS\mlijii.dll
C:\WINDOWS\mlijij.dll
C:\WINDOWS\mlkkkl.dll
C:\WINDOWS\mlklig.dll
C:\WINDOWS\mlmkli.dll
C:\WINDOWS\mlmljj.dll
C:\WINDOWS\mlmlkl.dll
C:\WINDOWS\mlmmki.dll
C:\WINDOWS\mlmnll.dll
C:\WINDOWS\nnkhfg.dll
C:\WINDOWS\nnkhgf.dll
C:\WINDOWS\nnmjge.dll
C:\WINDOWS\nnmkhg.dll
C:\WINDOWS\nnolkk.dll
C:\WINDOWS\nnomml.dll
C:\WINDOWS\opmjhh.dll
C:\WINDOWS\opmjjj.dll
C:\WINDOWS\opmkji.dll
C:\WINDOWS\opopqr.dll
C:\WINDOWS\opqnmn.dll
C:\WINDOWS\opqolj.dll
C:\WINDOWS\opqrpo.dll
C:\WINDOWS\pmkhgh.dll
C:\WINDOWS\pmkihg.dll
C:\WINDOWS\pmkkli.dll
C:\WINDOWS\pmllig.dll
C:\WINDOWS\pmlmkh.dll
C:\WINDOWS\pmnnkl.dll
C:\WINDOWS\pmnnon.dll
C:\WINDOWS\qomjhe.dll
C:\WINDOWS\qomkkj.dll
C:\WINDOWS\qomkkl.dll
C:\WINDOWS\qomklm.dll
C:\WINDOWS\qomnoo.dll
C:\WINDOWS\qonkki.dll
C:\WINDOWS\qonljg.dll
C:\WINDOWS\qonmnl.dll
C:\WINDOWS\qonomm.dll
C:\WINDOWS\qopmlm.dll
C:\WINDOWS\qopnkj.dll
C:\WINDOWS\qopnop.dll
C:\WINDOWS\qopomk.dll
C:\WINDOWS\qopppo.dll
C:\WINDOWS\qopqqq.dll
C:\WINDOWS\qopqrp.dll
C:\WINDOWS\rqoopo.dll
C:\WINDOWS\rqopnn.dll
C:\WINDOWS\rqpomj.dll
C:\WINDOWS\rqpqpp.dll
C:\WINDOWS\rqpqqq.dll
C:\WINDOWS\rqrolk.dll
C:\WINDOWS\ssqrsp.dll
C:\WINDOWS\ssroli.dll
C:\WINDOWS\ssronl.dll
C:\WINDOWS\ssropm.dll
C:\WINDOWS\ssrrol.dll
C:\WINDOWS\sstqop.dll
C:\WINDOWS\ssttrs.dll
C:\WINDOWS\ssturq.dll
C:\WINDOWS\tutqrp.dll
C:\WINDOWS\tutrop.dll
C:\WINDOWS\tutusq.dll
C:\WINDOWS\tuvvvv.dll
C:\WINDOWS\urpmkh.dll
C:\WINDOWS\urpnlm.dll
C:\WINDOWS\urrono.dll
C:\WINDOWS\urrppq.dll
C:\WINDOWS\urrrqq.dll
C:\WINDOWS\urrrsq.dll
C:\WINDOWS\urrspp.dll
C:\WINDOWS\urrsss.dll
C:\WINDOWS\urspqn.dll
C:\WINDOWS\ursron.dll
C:\WINDOWS\ursrro.dll
C:\WINDOWS\vtrpnk.dll
C:\WINDOWS\vtrrol.dll
C:\WINDOWS\vtrrop.dll
C:\WINDOWS\vtrsts.dll
C:\WINDOWS\vturoo.dll
C:\WINDOWS\vtursp.dll
C:\WINDOWS\vtuspm.dll
C:\WINDOWS\vtussp.dll
C:\WINDOWS\vtuuut.dll
C:\WINDOWS\wvtrqq.dll
C:\WINDOWS\wvtsqn.dll
C:\WINDOWS\wvvsqq.dll
C:\WINDOWS\wvvtqr.dll
C:\WINDOWS\wvvtut.dll
C:\WINDOWS\wvvuvw.dll
C:\WINDOWS\wvwvus.dll
C:\WINDOWS\wvwwwx.dll
C:\WINDOWS\xxvtqo.dll
C:\WINDOWS\xxvvvt.dll
C:\WINDOWS\xxxwwx.dll
C:\WINDOWS\xxyvtr.dll
C:\WINDOWS\xxywwx.dll
C:\WINDOWS\yaaayw.dll
C:\WINDOWS\yaaayy.dll
C:\WINDOWS\yaabcd.dll
C:\WINDOWS\yabxxu.dll
C:\WINDOWS\yabxxx.dll
C:\WINDOWS\yaxwtu.dll
C:\WINDOWS\yaxwus.dll
C:\WINDOWS\yaxwxu.dll
C:\WINDOWS\yaxyyx.dll
C:\WINDOWS\twwwwa.ini
C:\WINDOWS\sutvyb.ini
C:\WINDOWS\wxyyyb.ini
C:\WINDOWS\tuuxbc.ini
C:\WINDOWS\xwxybc.ini
C:\WINDOWS\dfeddd.ini
C:\WINDOWS\twycfe.ini
C:\WINDOWS\uwycfe.ini
C:\WINDOWS\beddfe.ini
C:\WINDOWS\bddccf.ini
C:\WINDOWS\cbefgh.ini
C:\WINDOWS\adeggh.ini
C:\WINDOWS\ddefii.ini
C:\WINDOWS\fgfhii.ini
C:\WINDOWS\cdfhkj.ini
C:\WINDOWS\fefhkj.ini
C:\WINDOWS\dgjjkj.ini
C:\WINDOWS\ffikkj.ini
C:\WINDOWS\fegghk.ini
C:\WINDOWS\dehkjl.ini
C:\WINDOWS\cehilm.ini
C:\WINDOWS\lkkklm.ini
C:\WINDOWS\rqpopo.ini
C:\WINDOWS\nmnqpo.ini
C:\WINDOWS\ghikmp.ini
C:\WINDOWS\gillmp.ini
C:\WINDOWS\mlkmoq.ini
C:\WINDOWS\lnmnoq.ini
C:\WINDOWS\kmopoq.ini
C:\WINDOWS\nnpoqr.ini
C:\WINDOWS\ilorss.ini
C:\WINDOWS\srttss.ini
C:\WINDOWS\prqtut.ini
C:\WINDOWS\qqrrru.ini
C:\WINDOWS\qsrrru.ini
C:\WINDOWS\nqpsru.ini
C:\WINDOWS\porrtv.ini
C:\WINDOWS\psrutv.ini
C:\WINDOWS\nqstvw.ini
C:\WINDOWS\dcbaay.ini
C:\WINDOWS\xxxbay.ini
C:\WINDOWS\system32\gdi3svc.dll
 
okay, three parts.


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Owner\APPLIC~1\FunWebProducts
C:\DOCUME~1\Owner\APPLIC~1\FunWebProducts\Data\Owner\avatar.dat
C:\DOCUME~1\Owner\APPLIC~1\FunWebProducts\Data\Owner\zwinky.dat
C:\DOCUME~1\Owner\APPLIC~1\SpamBlockerUtility_Icons
C:\DOCUME~1\Owner\APPLIC~1\SpamBlockerUtility_Icons\MobileSidewalk_2.ico
C:\DOCUME~1\Owner\APPLIC~1\SpamBlockerUtility_Icons\Software_Online_8.ico
C:\DOCUME~1\Owner\APPLIC~1\tmp1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp10.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp101.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp102.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp103.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp104.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp106.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp107.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp108.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp10B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp10C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp10D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp10E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp10F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp110.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp111.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp112.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp113.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp114.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp115.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp116.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp117.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp118.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp119.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp11F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp12.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp120.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp121.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp122.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp123.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp124.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp125.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp126.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp127.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp128.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp129.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp12A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp12B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp12C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp12D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp12E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp12F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp130.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp131.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp132.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp133.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp134.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp135.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp136.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp137.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp138.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp139.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp13F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp14.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp140.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp141.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp142.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp143.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp144.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp145.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp146.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp147.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp148.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp149.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp14A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp14B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp14C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp14D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp14E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp14F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp150.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp151.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp152.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp153.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp154.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp155.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp156.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp157.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp158.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp159.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp15F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp160.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp161.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp162.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp163.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp164.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp165.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp166.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp167.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp168.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp169.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp16F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp170.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp171.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp172.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp173.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp174.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp175.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp176.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp177.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp178.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp179.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp17F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp18.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp180.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp181.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp182.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp183.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp184.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp185.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp186.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp187.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp188.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp189.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp18A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp18B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp18C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp18D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp18E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp18F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp19.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp190.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp191.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp192.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp193.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp194.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp195.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp196.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp197.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp198.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp199.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp19A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp19B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp19C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp19D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp19E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp19F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A7.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1A9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1AA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1AB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1AC.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1AD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1AE.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1AF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1B9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1BA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1BB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1D5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1DB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1DD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1DE.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp1F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp20.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp204.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp205.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp20A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp20B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp20E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp21.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp22.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp220.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp222.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp223.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp224.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp22E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp22F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp23.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp230.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp24.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp241.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp242.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp243.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp24A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp24B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp24C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp25.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp26.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp27.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp28.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp29.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp2F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp30.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp31.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp32.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp33.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp34.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp35.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp36.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp37.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp38.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp39.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp3F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp40.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp41.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp42.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp43.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp44.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp45.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp46.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp47.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp48.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp49.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp4F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp50.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp51.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp52.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp53.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp54.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp55.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp559.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp55A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp55B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp55C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp56.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp561.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp562.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp563.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp568.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp57.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp58.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp59.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp5F.tmp.exe
 
part 3

C:\DOCUME~1\Owner\APPLIC~1\tmp6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp60.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp61.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp62.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp63.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp64.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp65.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp66.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp67.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp68.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp69.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp6F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp70.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp71.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp72.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp73.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp74.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp75.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp76.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp77.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp78.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp79.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp7F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp80.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp81.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp82.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp83.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp84.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp85.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp86.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp87.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp88.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp89.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp8F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp90.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp91.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp92.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp93.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp94.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp95.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp96.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp97.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp98.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp99.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9A.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9B.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9C.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9D.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9E.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmp9F.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA7.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpA9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpAA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpAB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpAC.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpAD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpAE.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpAF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB5.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB7.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB8.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpB9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpBA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpBB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpBC.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpBD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpBE.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpBF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpC.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpC1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpC2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpC3.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpC4.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpC6.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpC9.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpCA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpCB.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpCC.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpCD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpCF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpD0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpD2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpDA.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpE.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpE0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpE2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpF.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpF0.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpF1.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpF2.tmp.exe
C:\DOCUME~1\Owner\APPLIC~1\tmpFD.tmp.exe
C:\Program Files\MSN Gaming Zone\wofe83122.dll
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\180ax.exe
C:\WINDOWS\48x.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\b122.exe
C:\WINDOWS\bi.dll
C:\WINDOWS\biprep.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cfg32.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\cfg32o.dll
C:\WINDOWS\cfg32r.dll
C:\WINDOWS\cfg32s.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\flt.dll
C:\WINDOWS\itpb_11.exe
C:\WINDOWS\itpb_3.exe
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\offun.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\rau001978.exe
C:\WINDOWS\retadpu1000106.exe
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\stub_mma2.exe
C:\WINDOWS\susp.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\~.exe
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\ipv6mons.dll
C:\WINDOWS\system32\ldpackage.dll
C:\WINDOWS\system32\model.dat
C:\WINDOWS\system32\msdn_lib.dll
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\ojdsregp.exe
C:\WINDOWS\system32\perfc000.dat
C:\WINDOWS\system32\qwerty12.exe
C:\WINDOWS\system32\rlls.dll
C:\WINDOWS\system32\rlxf.dll
C:\WINDOWS\system32\silc_dll.dll
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\tmp1.tmp.dll
C:\WINDOWS\system32\tmp106.tmp.dll
C:\WINDOWS\system32\tmp108.tmp.dll
C:\WINDOWS\system32\tmp10F.tmp.dll
C:\WINDOWS\system32\tmp11.tmp.dll
C:\WINDOWS\system32\tmp110.tmp.dll
C:\WINDOWS\system32\tmp111.tmp.dll
C:\WINDOWS\system32\tmp119.tmp.dll
C:\WINDOWS\system32\tmp11C.tmp.dll
C:\WINDOWS\system32\tmp11F.tmp.dll
C:\WINDOWS\system32\tmp12.tmp.dll
C:\WINDOWS\system32\tmp123.tmp.dll
C:\WINDOWS\system32\tmp126.tmp.dll
C:\WINDOWS\system32\tmp127.tmp.dll
C:\WINDOWS\system32\tmp12B.tmp.dll
C:\WINDOWS\system32\tmp12E.tmp.dll
C:\WINDOWS\system32\tmp13.tmp.dll
C:\WINDOWS\system32\tmp15.tmp.dll
C:\WINDOWS\system32\tmp151.tmp.dll
C:\WINDOWS\system32\tmp159.tmp.dll
C:\WINDOWS\system32\tmp16.tmp.dll
C:\WINDOWS\system32\tmp17.tmp.dll
C:\WINDOWS\system32\tmp18.tmp.dll
C:\WINDOWS\system32\tmp19.tmp.dll
C:\WINDOWS\system32\tmp1A.tmp.dll
C:\WINDOWS\system32\tmp1B.tmp.dll
C:\WINDOWS\system32\tmp1B8.tmp.dll
C:\WINDOWS\system32\tmp1BB.tmp.dll
C:\WINDOWS\system32\tmp1C.tmp.dll
C:\WINDOWS\system32\tmp1DE.tmp.dll
C:\WINDOWS\system32\tmp1E.tmp.dll
C:\WINDOWS\system32\tmp2.tmp.dll
C:\WINDOWS\system32\tmp20.tmp.dll
C:\WINDOWS\system32\tmp204.tmp.dll
C:\WINDOWS\system32\tmp205.tmp.dll
C:\WINDOWS\system32\tmp224.tmp.dll
C:\WINDOWS\system32\tmp23.tmp.dll
C:\WINDOWS\system32\tmp25.tmp.dll
C:\WINDOWS\system32\tmp26.tmp.dll
C:\WINDOWS\system32\tmp29.tmp.dll
C:\WINDOWS\system32\tmp2B.tmp.dll
C:\WINDOWS\system32\tmp2E.tmp.dll
C:\WINDOWS\system32\tmp3.tmp.dll
C:\WINDOWS\system32\tmp30.tmp.dll
C:\WINDOWS\system32\tmp35.tmp.dll
C:\WINDOWS\system32\tmp36.tmp.dll
C:\WINDOWS\system32\tmp3E.tmp.dll
C:\WINDOWS\system32\tmp4.tmp.dll
C:\WINDOWS\system32\tmp41.tmp.dll
C:\WINDOWS\system32\tmp43.tmp.dll
C:\WINDOWS\system32\tmp45.tmp.dll
C:\WINDOWS\system32\tmp48.tmp.dll
C:\WINDOWS\system32\tmp4B.tmp.dll
C:\WINDOWS\system32\tmp5.tmp.dll
C:\WINDOWS\system32\tmp50.tmp.dll
C:\WINDOWS\system32\tmp559.tmp.dll
C:\WINDOWS\system32\tmp561.tmp.dll
C:\WINDOWS\system32\tmp5A.tmp.dll
C:\WINDOWS\system32\tmp5B.tmp.dll
C:\WINDOWS\system32\tmp6.tmp.dll
C:\WINDOWS\system32\tmp60.tmp.dll
C:\WINDOWS\system32\tmp64.tmp.dll
C:\WINDOWS\system32\tmp6C.tmp.dll
C:\WINDOWS\system32\tmp6E.tmp.dll
C:\WINDOWS\system32\tmp7.tmp.dll
C:\WINDOWS\system32\tmp73.tmp.dll
C:\WINDOWS\system32\tmp77.tmp.dll
C:\WINDOWS\system32\tmp78.tmp.dll
C:\WINDOWS\system32\tmp7C.tmp.dll
C:\WINDOWS\system32\tmp8.tmp.dll
C:\WINDOWS\system32\tmp82.tmp.dll
C:\WINDOWS\system32\tmp83.tmp.dll
C:\WINDOWS\system32\tmp87.tmp.dll
C:\WINDOWS\system32\tmp88.tmp.dll
C:\WINDOWS\system32\tmp8D.tmp.dll
C:\WINDOWS\system32\tmp9.tmp.dll
C:\WINDOWS\system32\tmp91.tmp.dll
C:\WINDOWS\system32\tmp9A.tmp.dll
C:\WINDOWS\system32\tmp9F.tmp.dll
C:\WINDOWS\system32\tmpA.tmp.dll
C:\WINDOWS\system32\tmpA8.tmp.dll
C:\WINDOWS\system32\tmpAD.tmp.dll
C:\WINDOWS\system32\tmpB.tmp.dll
C:\WINDOWS\system32\tmpB3.tmp.dll
C:\WINDOWS\system32\tmpB4.tmp.dll
C:\WINDOWS\system32\tmpC2.tmp.dll
C:\WINDOWS\system32\tmpC6.tmp.dll
C:\WINDOWS\system32\tmpCB.tmp.dll
C:\WINDOWS\system32\tmpE.tmp.dll
C:\WINDOWS\system32\tmpE2.tmp.dll
C:\WINDOWS\system32\tmpFD.tmp.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\system32\wmvds32.dll
C:\WINDOWS\system32\zxdnt3d.cfg
C:\WINDOWS\temp\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\vcttc012.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\wbun.exe
C:\WINDOWS\wml.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-25 09:49 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-19 16:18 1,007 --a------ C:\WINDOWS\mozver.dat
2007-07-11 14:05 <DIR> d-------- C:\94f3f44206ff7291cbfc3f478c


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 15:02:06 12 ----a-w C:\WINDOWS\system32\sl.bin
2007-07-25 15:01:38 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-07-19 21:17:41 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-06-23 16:40:49 192,594 ----a-w C:\WINDOWS\system32\twinkpdt.exe
2007-06-23 09:02:48 18,432 ----a-w C:\WINDOWS\sysrlb32.exe
2007-06-23 08:27:15 4 ----a-w C:\WINDOWS\system32\stfv.bin
2007-06-23 08:25:42 29,952 ----a-w C:\WINDOWS\vxddsk.exe
2007-06-23 08:25:16 291 ----a-w C:\WINDOWS\system32\drivers\v.gif
2007-06-23 08:25:16 283 ----a-w C:\WINDOWS\system32\drivers\x.gif
2007-06-23 08:25:14 801 ----a-w C:\WINDOWS\system32\drivers\system_stable_header_small.gif
2007-06-23 08:25:14 567 ----a-w C:\WINDOWS\system32\drivers\users_rating.gif
2007-06-23 08:25:13 1,636 ----a-w C:\WINDOWS\system32\drivers\system_stable_header.gif
2007-06-23 08:25:12 6,533 ----a-w C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
2007-06-23 08:25:12 15,075 ----a-w C:\WINDOWS\system32\drivers\system_stable_box.jpg
2007-06-23 08:25:10 579 ----a-w C:\WINDOWS\system32\drivers\spy_away_header_small.gif
2007-06-23 08:25:09 1,139 ----a-w C:\WINDOWS\system32\drivers\spy_away_header.gif
2007-06-23 08:25:08 5,097 ----a-w C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
2007-06-23 08:25:08 13,618 ----a-w C:\WINDOWS\system32\drivers\spy_away_box.jpg
2007-06-23 08:25:07 14,484 ----a-w C:\WINDOWS\system32\drivers\protect.gif
2007-06-23 08:25:05 841 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
2007-06-23 08:25:02 1,804 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
2007-06-23 08:25:01 4,557 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
2007-06-23 08:25:01 10,260 ----a-w C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
2007-06-23 08:25:00 737 ----a-w C:\WINDOWS\system32\drivers\logo_bg.gif
2007-06-23 08:25:00 3,099 ----a-w C:\WINDOWS\system32\drivers\logo.gif
2007-06-23 08:24:58 811 ----a-w C:\WINDOWS\system32\drivers\download_btn.gif
2007-06-23 08:24:58 580 ----a-w C:\WINDOWS\system32\drivers\features.gif
2007-06-23 08:24:57 746 ----a-w C:\WINDOWS\system32\drivers\buy_btn.gif
2007-06-23 08:24:57 427 ----a-w C:\WINDOWS\system32\drivers\4_stars.gif
2007-06-23 08:24:57 365 ----a-w C:\WINDOWS\system32\drivers\5_stars.gif
2007-06-23 08:24:56 50,169 ----a-w C:\WINDOWS\system32\drivers\pt.htm
2007-06-23 08:24:55 945 ----a-w C:\WINDOWS\system32\drivers\s_detect.htm
2007-06-23 08:24:55 6,575 ----a-w C:\WINDOWS\system32\drivers\remove_spyware_button.gif
2007-06-23 08:24:55 6,373 ----a-w C:\WINDOWS\system32\drivers\secuity_center_logo.gif
2007-06-23 08:24:54 64 ----a-w C:\WINDOWS\system32\drivers\close_icon.gif
2007-06-23 08:24:54 360 ----a-w C:\WINDOWS\system32\drivers\header_bg.gif
2007-06-23 08:24:54 1,014 ----a-w C:\WINDOWS\system32\drivers\icon_warning.gif
2007-06-23 08:24:53 4,825 ----a-w C:\WINDOWS\system32\drivers\detect.htm
2007-06-23 08:24:53 2,186 ----a-w C:\WINDOWS\system32\drivers\alert_icon.gif
2007-06-03 02:10:06 -------- d-----w C:\Program Files\Real
2007-06-03 02:07:49 -------- d-----w C:\Program Files\Common Files\AOL
2007-06-03 02:07:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
1989-12-12 15:10:10 791,920 --sh--r C:\WINDOWS\ohlnbhcA.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{858CC303-6FD4-4216-8B76-143714271D9E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NWEReboot"="" []
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe" [2006-07-26 03:03]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-04-03 18:12]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-02-14 22:50]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2006-01-24 14:37]
"ares"="C:\Program Files\Ares\Ares.exe" []
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t
"swg"=C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\urqponl.dll

R3 BCM42XX;Broadcom iLine10(tm) Network Adapter Driver;C:\WINDOWS\system32\DRIVERS\bcm42xx5.sys
R3 BCMModem;BCM V.90 56K Modem;C:\WINDOWS\system32\DRIVERS\BCMDM.sys
R3 ctljystk;Creative SBLive! Gameport;C:\WINDOWS\system32\DRIVERS\ctljystk.sys
S3 A5AGU;D-Link USB Wireless Network Adapter Service;C:\WINDOWS\system32\DRIVERS\A5AGU.sys
S3 ATHFMWDL;D-Link predator Bootloader driver;C:\WINDOWS\system32\Drivers\ATHFMWDL.sys
S3 TIEHDUSB;TIEHDUSB;C:\WINDOWS\system32\drivers\tiehdusb.sys
S3 TnIDriver;TnIDriver;\??\C:\DOCUME~1\Owner\LOCALS~1\Temp\tni2B.tmp


Contents of the 'Scheduled Tasks' folder
2007-07-23 02:28:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-25 07:29:00 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 10:08:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-25 10:10:11 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-25 10:09

--- E O F ---
 
Hello :)

Looking over your log, it seems you don't have any evidence of a third party firewall.

As the term conveys, a firewall is an extra layer of security installed onto computers, which restricts access to systems from the outside world. Firewalls protect against hackers and malicious intruders. I want you to download a free firewall NOW from one of these excellent vendors:

1) ZoneAlarm
2) Agnitum
3) Sunbelt/Kerio
4) Comodo

If you are using the built-in Windows XP firewall, it is not recommended as it does not block outgoing connections. This means that any malware on your computer is free to "phone home" for more instructions. Simply put, Windows XP contains a mediocre firewall. This firewall is NO replacement for a dedicated software solution. Remember to use only one firewall at the same time.
____________________________

Disable Teatimer:

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
____

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.
Click on Tools, General Settings.
Scroll down and uncheck Turn on real-time protection (recommended).
After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you enable Real-time Protection again.
____________________________

Please download AVG Anti-Spyware to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install AVG Anti-Spyware by double clicking the installer.
  • Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Click on Change state next to Automatic updates. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
  • Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
__________________________

Create a new folder here called HJT:

C:\HJT

And now move HijackThis.exe into the HJT folder.
_______

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file)
O2 - BHO: (no name) - {858CC303-6FD4-4216-8B76-143714271D9E} - \
O3 - Toolbar: (no name) - {DE9C389F-3316-41A7-809B-AA305ED9D922} - (no file)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O20 - AppInit_DLLs: c:\windows\system32\urqponl.dll
_________________________

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\windows\system32\urqponl.dll
C:\WINDOWS\system32\twinkpdt.exe
C:\WINDOWS\sysrlb32.exe
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\ohlnbhcA.exe
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\drivers\system_stable_header_small.gif
C:\WINDOWS\system32\drivers\users_rating.gif
C:\WINDOWS\system32\drivers\system_stable_header.gif
C:\WINDOWS\system32\drivers\system_stable_box_small.jpg
C:\WINDOWS\system32\drivers\system_stable_box.jpg
C:\WINDOWS\system32\drivers\spy_away_header_small.gif
C:\WINDOWS\system32\drivers\spy_away_header.gif
C:\WINDOWS\system32\drivers\spy_away_box_small.jpg
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\protect.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\logo_bg.gif
C:\WINDOWS\system32\drivers\logo.gif
C:\WINDOWS\system32\drivers\download_btn.gif
C:\WINDOWS\system32\drivers\features.gif
C:\WINDOWS\system32\drivers\buy_btn.gif
C:\WINDOWS\system32\drivers\4_stars.gif
C:\WINDOWS\system32\drivers\5_stars.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\alert_icon.gif

Folder::
C:\94f3f44206ff7291cbfc3f478c
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot).
_______________________

Please download ATF-cleaner and save it to your desktop.
  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All
  • Click the Empty Selected button.

    If you use Firefox browser:
  • Click Firefox at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser:
  • Click Opera at the top and choose: Select All
  • Click the Empty Selected button.
  • NOTE: If you would like to keep your saved passwords, please click No at the prompt.
  • Click Exit on the Main menu to close the program.
____________________

Please then reboot your computer in Safe Mode by doing the following:
  • Restart your computer
  • After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
  • Instead of Windows loading as normal, the Advanced Options Menu should appear;
  • Select the first option, to run Windows in Safe Mode, then press Enter.
  • Choose your usual account.
___________________________

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      scanavgjk2.jpg
  • When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.
____________________________

  • Please download F-Secure Blacklight (fsbl.exe) from here
  • Save into C:\ with a name of fsbl.exe
  • Go to Start -> Run
  • Copy and paste the contents of the below codebox into the run box
    Code: 
    C:\fsbl.exe /expert
  • Click OK
  • This will launch BlackLight
  • Select I accept the agreement
  • Click Next
  • Click Scan
  • Wait for the scan to finish
  • Click on Next>
  • Click Exit
  • A logfile will have been created in the C:\ drive
  • It will be named fsbl-xxxxxxxxxxxxxx.log where xxxxxxxxxxxxxx is the date and time of the scan
  • Use notepad to open that log
  • Post the contents of that log as a reply to this topic.
______________________

Post:
- A fres HijackThis log
- AVG Anti-SPyware's report
- Logfile of BlackLight
- ComboFix's log
 
i ran into a few problems along the way.

first of all, i could not open windows defender. i got an error saying "application failed to initialize: 0x800106ba"

second, when i was deleting entries from HJT, i received another error "An unexpected error has occurred at procedure: modBackup_MakeBackup(sItem=O20 - AppInit_DLLs: c:\windows\system32\urqponl.dll)
Error #5 - Invalid procedure call or argument"

third, i was not able to move "CFScript.txt" into Combofix successfully. Whenever i tried to do so, i would receive an error that read "C:\WINDOWS\system32\chcp.com not valid Win32 application"
No log was produced for this program.

finally, after the AVG scan completed, i was not able to save a report. the button to press was gray and would not allow me to press it. I did click "Reports" and save it to my desktop in Safe Mode, but it wasn't there when i rebooted. i do know for a fact that it said it found no errors. After the scan however, there were quite a number of things found, but all were quarantined.


With all that being said, i did manage to complete the other instructions without much trouble. I have the HJT and Blacklight logs.


HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 12:24:58 PM, on 7/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149879949299
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149879923001
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


The Blacklight Log saved itself in two parts.

07/26/07 12:00:29 [Info]: BlackLight Engine 1.0.64 initialized
07/26/07 12:00:29 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/26/07 12:00:29 [Note]: 7019 4
07/26/07 12:00:29 [Note]: 7005 0
07/26/07 12:00:32 [Note]: 7007 0

07/26/07 12:02:01 [Info]: BlackLight Engine 1.0.64 initialized
07/26/07 12:02:01 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/26/07 12:02:01 [Note]: 7019 4
07/26/07 12:02:01 [Note]: 7005 0
07/26/07 12:02:11 [Note]: 7006 0
07/26/07 12:02:11 [Note]: 7022 0
07/26/07 12:02:11 [Note]: 7011 1548
07/26/07 12:02:11 [Note]: 7026 0
07/26/07 12:02:12 [Note]: 7026 0
07/26/07 12:02:19 [Note]: FSRAW library version 1.7.1022
07/26/07 12:02:24 [Info]: Hidden file: c:\Documents and Settings\Owner\Desktop\jo
07/26/07 12:02:24 [Note]: 10002 1
07/26/07 12:10:13 [Note]: 2000 1012
07/26/07 12:15:32 [Note]: 7007 0
 
Scan again with Blacklight, when the scan has finished. Choose this folder:

C:\Documents and Settings\Owner\Desktop\jo

And now click 'rename'.

Reboot.

Check what is in here: C:\Documents and Settings\Owner\Desktop\jo
______________________

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on dss.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt<-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt and the extra.txt to your post. in your reply
__________________

Re-run with Blacklight!

Post:
- A fresh HijackThis log
- Logfile of Blacklight
- Contents of main.txt & extra.txt
 
okay heres my stuff.

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 11:08:10 AM, on 7/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\svchost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149879949299
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149879923001
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


blacklight log

07/28/07 10:50:51 [Info]: BlackLight Engine 1.0.64 initialized
07/28/07 10:50:51 [Info]: OS: 5.1 build 2600 (Service Pack 2)
07/28/07 10:50:52 [Note]: 7019 4
07/28/07 10:50:52 [Note]: 7005 0
07/28/07 10:51:06 [Note]: 7006 0
07/28/07 10:51:06 [Note]: 7022 0
07/28/07 10:51:06 [Note]: 7011 1836
07/28/07 10:51:06 [Note]: 7026 0
07/28/07 10:51:06 [Note]: 7026 0
07/28/07 10:51:19 [Note]: FSRAW library version 1.7.1022
07/28/07 10:51:33 [Info]: Hidden file: c:\Documents and Settings\Owner\Desktop\jo.ren
07/28/07 10:51:33 [Note]: 10002 1
07/28/07 11:02:51 [Note]: 2000 1012
07/28/07 11:06:04 [Note]: 7007 0


main.txt

Deckard's System Scanner v20070711.54
Run by Owner on 2007-07-27 at 18:04:03
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2007-07-27 23:04:17 UTC - RP586 - Deckard's System Scanner Restore Point
86: 2007-07-27 16:25:52 UTC - RP585 - Software Distribution Service 3.0
85: 2007-07-26 23:17:34 UTC - RP584 - Software Distribution Service 3.0
84: 2007-07-26 18:55:11 UTC - RP583 - Software Distribution Service 3.0
83: 2007-07-26 16:57:34 UTC - RP582 - Software Distribution Service 3.0


-- First Restore Point --
1: 2007-05-15 01:53:16 UTC - RP500 - System Checkpoint


Backed up registry hives.

Performed disk cleanup.


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 6:06:14 PM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149879949299
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149879923001
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

S0 PxHelp20 - c:\windows\system32\drivers\pxhelp20.sys (file missing)
S3 A5AGU (D-Link USB Wireless Network Adapter Service) - c:\windows\system32\drivers\a5agu.sys <Not Verified; D-Link Corporation; D-Link Wireless USB Network Adapter>
S3 ATHFMWDL (D-Link predator Bootloader driver) - c:\windows\system32\drivers\athfmwdl.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
S3 catchme - c:\docume~1\owner\locals~1\temp\catchme.sys (file missing)
S3 TIEHDUSB - c:\windows\system32\drivers\tiehdusb.sys <Not Verified; Texas Instruments Incorporated; Texas Instruments Incorporated Educational Handheld Device>
S3 TnIDriver - c:\docume~1\owner\locals~1\temp\tni2b.tmp (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Viewpoint Manager Service - "c:\program files\viewpoint\common\viewpointservice.exe" <Not Verified; Viewpoint Corporation; Viewpoint Manager>


-- Scheduled Tasks -------------------------------------------------------------

2007-07-25 02:29:00 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job
2007-07-22 21:28:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job


-- Files created between 2007-06-27 and 2007-07-27 -----------------------------

2007-07-25 18:28:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft
2007-07-25 17:56:58 0 d-------- C:\HJT
2007-07-25 17:50:56 0 d-------- C:\Documents and Settings\Owner\Application Data\Grisoft
2007-07-25 17:50:21 0 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2007-07-25 17:24:04 0 d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-07-25 17:23:41 4212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-25 17:23:21 74396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-25 17:23:21 75932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-25 17:23:13 141344 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-25 17:22:38 0 d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-25 17:21:36 0 d-------- C:\WINDOWS\Internet Logs
2007-07-24 21:20:00 0 d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2007-07-19 16:18:05 1007 --a------ C:\WINDOWS\mozver.dat
2007-07-11 14:05:53 0 d-------- C:\94f3f44206ff7291cbfc3f478c
 
Main.txt continued

-- Find3M Report ---------------------------------------------------------------

2007-07-25 10:02:06 12 --a------ C:\WINDOWS\system32\sl.bin
2007-07-25 10:01:38 0 d-------- C:\Program Files\MSN Gaming Zone
2007-07-19 16:55:05 0 d-------- C:\Documents and Settings\Owner\Application Data\Adobe
2007-07-19 16:40:20 0 d-------- C:\Program Files\Common Files\Adobe
2007-07-19 16:17:41 0 d-------- C:\Documents and Settings\Owner\Application Data\AdobeUM
2007-06-24 01:54:36 0 d-------- C:\Documents and Settings\Owner\Application Data\Mozilla
2007-06-23 04:02:48 18432 --a------ C:\WINDOWS\sysrlb32.exe <Not Verified; Microsoft Corp.; Project1>
2007-06-23 03:27:15 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-06-23 03:25:42 29952 --a------ C:\WINDOWS\vxddsk.exe
2007-06-02 21:10:06 0 d-------- C:\Program Files\Real
2007-06-02 21:07:49 0 d-------- C:\Program Files\Common Files\AOL
2007-06-02 21:07:39 0 d--h----- C:\Program Files\InstallShield Installation Information


-- Registry Dump ---------------------------------------------------------------

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
{A7327C09-B521-4EDB-8509-7D2660C9EC98} C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar4.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NWEReboot"=""
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.2\\Apps\\apdproxy.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_08\\bin\\jusched.exe\""
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"ZoneAlarm Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"ares"="\"C:\\Program Files\\Ares\\Ares.exe\" -h"
"Active Desktop Calendar"="C:\\Program Files\\XemiComputers\\Active Desktop Calendar\\ADC.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



-- End of Deckard's System Scanner: finished at 2007-07-27 at 18:07:27 ---------


extra.txt

Deckard's System Scanner v20070711.54
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Athlon(tm) Processor
Percentage of Memory in Use: 40%
Physical Memory (total/avail): 511.42 MiB / 302.3 MiB
Pagefile Memory (total/avail): 1246.79 MiB / 1086.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1977.27 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 114.48 GiB total, 89.4 GiB free.
D: is CDROM (No Media)
E: is Removable (No Media)
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.362.000 (Check Point, LTD.)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe"="C:\\WINDOWS\\system32\\ZoneLabs\\avsys\\ScanningProcess.exe:*:Enabled:Kaspersky AV Scanner"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Owner\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=OWNER-C1RPWGUAV
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Owner
LOGONSERVER=\\OWNER-C1RPWGUAV
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;C:\Program Files\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 4 Stepping 2, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0402
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_08\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
TMP=C:\DOCUME~1\Owner\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=OWNER-C1RPWGUAV
USERNAME=Owner
USERPROFILE=C:\Documents and Settings\Owner
windir=C:\WINDOWS
__COMPAT_LAYER=EnableNXShowUI


-- User Profiles ---------------------------------------------------------------

Owner (admin)
Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Reader 8.1.0 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A81000000003}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Adobe® Photoshop® Album Starter Edition 3.2 --> MsiExec.exe /I{A654A805-41D9-40C7-AA46-4AF04F044D61}
AOL Instant Messenger --> C:\Program Files\AIM\uninstll.exe -LOG= C:\Program Files\AIM\install.log -OEM=
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
AVG Anti-Spyware 7.5 --> C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\Uninstall.exe
AviSynth 2.5 --> "C:\Program Files\AviSynth 2.5\Uninstall.exe"
FaxTools --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F45298E5-0083-426F-A668-1A2C5F04B8A0}\setup.exe" -l0x9 ControlPanel
getPlus(R)_dll --> rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\inf\GETPLUSd.INF, DefaultUninstall
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\10\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar4.dll"
Google Video Player --> "C:\Program Files\Google\Google Video Player\Uninstall.exe"
HijackThis 1.99.1 --> C:\Documents and Settings\Owner\Desktop\HijackThis.exe /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB902344) --> "C:\WINDOWS\$NtUninstallKB902344$\spuninst\spuninst.exe"
Hotfix for Windows Media Format SDK (KB910998) --> "C:\WINDOWS\$NtUninstallKB910998$\spuninst\spuninst.exe"
iPod for Windows 2005-11-17 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{8338BA06-E527-491B-9400-F51708FEE695} /l1033
iPod for Windows 2006-01-10 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{3D047C15-C859-45F7-81CE-F2681778069B} /l1033
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150050}
J2SE Runtime Environment 5.0 Update 8 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150080}
LimeWire 4.12.11 --> "C:\Program Files\LimeWire\uninstall.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Mozilla Firefox (2.0.0.5) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
MSN Messenger 7.5 --> MsiExec.exe /I{CEB3A11A-03EA-11DA-BFBD-00065BBDC0B5}
Nero OEM --> C:\Program Files\Ahead\nero\uninstall\UNNERO.exe /UNINSTALL
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
Videora iPod Converter 0.91 --> C:\Program Files\VideoraiPodConverter\uninst.exe
Viewpoint Manager (Remove Only) --> C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgrInstaller.exe /u /k
Viewpoint Media Player --> C:\Program Files\Viewpoint\Viewpoint Media Player\mtsAxInstaller.exe /u
Viewpoint Toolbar --> C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\Uninstaller.exe /u /k /url "http://www.viewpoint.com/pub/uninstallcompleted.html"
Windows Defender --> MsiExec.exe /I{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}
Windows Defender Signatures --> MsiExec.exe /I{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~2.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar --> C:\PROGRA~1\Yahoo!\Common\unyt.exe
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe


-- End of Deckard's System Scanner: finished at 2007-07-27 at 18:07:27 ---------
 
Hello :)

Open notepad and copy/paste the text in the quotebox below into it:

Driver::
TnIDriver

File::
C:\Documents and settings\owner\local settings\temp\tni2b.tmp
C:\WINDOWS\vxddsk.exe

Collect::
C:\Documents and Settings\Owner\Desktop\jo.ren
Click to expand...

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
______________________

Go to VirusTotal.
  • *Click on the "Browse"-button
    *Find this file: C:\WINDOWS\sysrlb32.exe
    *Then click on the "open" -button
    *Click on the "Send"-button
    *Copy/paste the results of VirusTotal into a notepad.
___________________

Post:
- A fresh HijackThis log
- ComboFix's log
- The results of the VirusTotal
 
hi

i had another problem, the same exact kind, with ComboFix. whenever i drag the "CFScrip" file into ComboFix, it starts up and i get the error "C:\WINDOWS\system32\chcp.com not valid Win32 application"

I have the other things though.

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 7:02:08 PM, on 7/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\126b5745ddca77b9d635ed46c361c072\update\update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149879949299
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149879923001
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


Virus Total Results

Antivirus Version Last Update Result
AhnLab-V3 2007.7.28.0 2007.07.27 Win-Trojan/Xema.variant
AntiVir 7.4.0.50 2007.07.30 TR/Crypt.FKM.Gen
Authentium 4.93.8 2007.07.27 W32/Trojan.AJGG
Avast 4.7.997.0 2007.07.29 Win32:VB-EDB
AVG 7.5.0.476 2007.07.28 Generic4.AMA
BitDefender 7.2 2007.07.30 Trojan.VB.NHG
CAT-QuickHeal 9.00 2007.07.28 Trojan.VB.azo
ClamAV 0.91 2007.07.30 -
DrWeb 4.33 2007.07.30 -
eSafe 7.0.15.0 2007.07.29 Win32.VB.azo
eTrust-Vet 31.1.5010 2007.07.28 Win32/Cadux.BN
Ewido 4.0 2007.07.29 Trojan.Small
FileAdvisor 1 2007.07.30 -
Fortinet 2.91.0.0 2007.07.29 W32/VB.AZO!tr
F-Prot 4.3.2.48 2007.07.27 W32/Trojan.AJGG
F-Secure 6.70.13030.0 2007.07.29 Trojan.Win32.VB.azo
Ikarus T3.1.1.8 2007.07.29 Trojan.Win32.VB.azo
Kaspersky 4.0.2.24 2007.07.30 Trojan.Win32.VB.azo
McAfee 5085 2007.07.27 Generic AdClicker.h
Microsoft 1.2704 2007.07.30 Trojan:Win32/VB!604D
NOD32v2 2427 2007.07.28 probably a variant of Win32/VB
Norman 5.80.02 2007.07.27 W32/VBTroj.GJK
Panda 9.0.0.4 2007.07.29 Adware/SpyAway
Rising 19.33.62.00 2007.07.29 Trojan.Win32.VB.azo
Prevx1 V2 2007.07.30 Generic.Malware
Sophos 4.19.0 2007.07.26 Troj/VB-DVI
Sunbelt 2.2.907.0 2007.07.28 Trojan.Win32.VB.azo
Symantec 10 2007.07.29 Trojan Horse
TheHacker 6.1.7.157 2007.07.29 Trojan/VB.azo
VBA32 3.12.2.1 2007.07.29 Trojan.Win32.VB.azo
VirusBuster 4.3.26:9 2007.07.29 Trojan.VB.FEG
Webwasher-Gateway 6.0.1 2007.07.30 Trojan.Crypt.FKM.Gen
Additional information
File size: 18432 bytes
MD5: 0cf3eb2cb9a645ea01c31b505c8689df
SHA1: 861e0eb479cb7add0a439831b91dfb7811e476f2
packers: UPX
packers: UPX
packers: UPX
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PX5=3C2E54FC00BA9C0648A10097641C5A0005F927F9
 
Hello :)

Download RegSearch by Bobbi Flekman.
  • Create a folder in your C: drive C:\Regsearch, and extract all the files from the zip archive into that folder.
  • Double click regsearch.exe to launch the programme.
  • Copy/Paste the following into the Search Box TnIDriver
  • Click OK.

Regsearch will now search your Registry for the required strings, when it is finished it will open a Notepad file RegSearch.txt, saved to the Regsearch folder.

Copy/Paste that file into your next post.
__________________

Please download GMER and save it to your desktop. (Second download link)
  • Extract it to your desktop and double-click on GMER.exe
  • Click on rootkit-tab and then click scan.
  • Do not checkmark "Show All" box, when GMER is running!
  • When the scan is finished, click on Copy.
  • Paste this log into notepad
  • Send the logfile of GMER to your topic
____________________

Post:
- A fresh HijackThis log
- Contents of RegSearch.txt
- Gmer's log
 
hi, heres the stuff

HJT log

Logfile of HijackThis v1.99.1
Scan saved at 9:27:25 PM, on 7/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Java\jre1.5.0_08\bin\jucheck.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: Viewpoint Toolbar BHO - {A7327C09-B521-4EDB-8509-7D2660C9EC98} - C:\Program Files\Viewpoint\Viewpoint Toolbar\3.8.0\ViewBarBHO.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Viewpoint Toolbar - {F8AD5AA5-D966-4667-9DAF-2561D68B2012} - C:\Program Files\Common Files\Viewpoint\Toolbar Runtime\3.8.0\IEViewBar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_08\bin\jusched.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Owner\Start Menu\Programs\Accessories\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {31E68DE2-5548-4B23-88F0-C51E6A0F695E} (Microsoft PID Sniffer) - https://support.microsoft.com/OAS/ActiveX/odc.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/html/activexplayer/SMALStreaming.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149879949299
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149879923001
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe


RegSearch

Windows Registry Editor Version 5.00

; Registry Search 2.0 by Bobbi Flekman © 2005
; Version: 2.0.5.0

; Results at 7/30/2007 4:34:44 PM for strings:
; 'tnidriver'
; Strings excluded from search:
; (None)
; Search in:
; Registry Keys Registry Values Registry Data
; HKEY_LOCAL_MACHINE HKEY_USERS


[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TNIDRIVER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TNIDRIVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TNIDRIVER\0000]
"Service"="TnIDriver"
"DeviceDesc"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TNIDRIVER\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TnIDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TnIDriver]
"DisplayName"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TnIDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TNIDRIVER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TNIDRIVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TNIDRIVER\0000]
"Service"="TnIDriver"
"DeviceDesc"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TNIDRIVER\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TNIDRIVER\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TnIDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TnIDriver]
"DisplayName"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TnIDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TnIDriver\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TnIDriver\Enum]
"0"="Root\\LEGACY_TNIDRIVER\\0000"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TNIDRIVER]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TNIDRIVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TNIDRIVER\0000]
"Service"="TnIDriver"
"DeviceDesc"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TNIDRIVER\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TnIDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TnIDriver]
"DisplayName"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TnIDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TNIDRIVER]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TNIDRIVER\0000]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TNIDRIVER\0000]
"Service"="TnIDriver"
"DeviceDesc"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TNIDRIVER\0000\LogConf]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TNIDRIVER\0000\Control]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TnIDriver]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TnIDriver]
"DisplayName"="TnIDriver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TnIDriver\Security]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TnIDriver\Enum]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TnIDriver\Enum]
"0"="Root\\LEGACY_TNIDRIVER\\0000"

; End Of The Log...
 
and the GMER log

GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-07-30 21:26:39
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.13 ----

.text ntoskrnl.exe!_abnormal_termination + 104 804E2760 12 Bytes [ 70, B2, 5F, F6, 00, 15, 60, ... ]
? srescan.sys The system cannot find the file specified.

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\System32\DRIVERS\processr.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\VIDEOPRT.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\mouclass.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\kbdclass.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\DRIVERS\fdc.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\parport.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\DRIVERS\imapi.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\redbook.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\ks.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\drivers\portcls.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\gameenum.sys[NTOSKRNL.EXE!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Modem.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\audstub.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\ndistapi.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] 831A3D70
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] 831A3960
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 831A3F40
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 831A3770
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F65FF9D0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F65FFEF0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F6600050] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F65FFB40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F65FFB40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F65FF9D0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F65FFEF0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F6600050] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\msgpc.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\rdpdr.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\termdd.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\swenum.sys[NTOSKRNL.EXE!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\mssmbios.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\drivers\MODEMCSA.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F65FF9D0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F6600050] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F65FFEF0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F65FFB40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\flpydisk.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\DRIVERS\usbhub.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Fs_Rec.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Null.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Beep.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Msfs.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Npfs.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\rasacd.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\ipsec.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F6600050] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F65FFEF0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F65FF9D0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] 83178660
IAT \SystemRoot\System32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] 83178660
IAT \SystemRoot\system32\DRIVERS\ipnat.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F65FFB40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F65FF9D0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F65FFEF0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F6600050] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\drivers\ws2ifsl.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F660D360] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\netbios.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\rdbss.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Fips.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\DRIVERS\USBSTOR.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\Cdfs.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F65FF9D0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F65FFB40] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F6600050] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F65FFEF0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\Fastfat.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\drivers\wdmaud.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\drivers\sysaudio.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\mrxdav.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\Drivers\ParVdm.SYS[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F65F85C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F65F8510] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F65F86C0] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\System32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F65F8220] \SystemRoot\System32\vsdatant.sys
IAT \SystemRoot\System32\Drivers\HTTP.sys[ntoskrnl.exe!IoCreateDevice] 831785E0
IAT \SystemRoot\system32\drivers\kmixer.sys[ntoskrnl.exe!IoCreateDevice] 831785E0

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F87A91DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F87A91DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F87A9454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F879CF4C] fltmgr.sys
 
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F87A91DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F879CF4C] fltmgr.sys

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F660CC50] vsdatant.sys

AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F869C0F0] kl1.sys

Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F660CC50] vsdatant.sys

AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F869C0F0] kl1.sys

Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F660CC50] vsdatant.sys

AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F869C0F0] kl1.sys

Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F660CC50] vsdatant.sys
 
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F869C0F0] kl1.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F869C0F0] kl1.sys

Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F660CC50] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F660CC50] vsdatant.sys

AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F87A91DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F87A91DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F87A9454] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F87A91DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F879CF4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F879CF4C] fltmgr.sys

---- Threads - GMER 1.0.13 ----

Thread 4:120 831A98E0
Thread 4:124 831A98E0
Thread 4:128 831828D0
Thread 4:132 831828D0
Thread 4:136 831828D0
Thread 4:392 831A98E0
Thread 4:456 831A98E0
Thread 4:600 831A98E0

---- Registry - GMER 1.0.13 ----

Reg \Registry\USER\S-1-5-21-602162358-1606980848-854245398-1003\Software\Microsoft\Search Assistant\ACMru\5603@?

---- EOF - GMER 1.0.13 ----
 
Hello :)

Please download swreg.exe by Bobbi Flekman and save it to your System32 folder. C:\Windows\System32\swreg.exe
______________________

Open Notepad
-> copy the following lines into a new document:
@echo off
SWReg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TNIDRIVER /GE:F
SWReg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TNIDRIVER /GE:F
SWReg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TNIDRIVER /GE:F
SWReg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TNIDRIVER /GE:F
exit
Click to expand...
Save the document to your desktop as Fix.bat and filetype: All Files
Go to your desktop and run the file Fix.bat and answer yes to any questions.
_______________________

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Code: 
REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Enum\Root\LEGACY_TNIDRIVER]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TnIDriver]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Enum\Root\LEGACY_TNIDRIVER]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet003\Services\TnIDriver]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Enum\Root\LEGACY_TNIDRIVER]

[-HKEY_LOCAL_MACHINE\SYSTEM\ControlSet004\Services\TnIDriver]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_TNIDRIVER]

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TnIDriver]

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)
_____________________

Re-run Regsearch and search for TnIDriver

Post:
- A fresh HijackThis log
- RegSearch.txt
 
You must log in or register to reply here.
Back
Top