[Resolved] Logger agent.chp , Suurcher on comp- very slow..?

Computer forums for help with removing malicious software (malware) and improving computer security

Welcome Guest to What the Tech! ( Log In | Register ) We specialize in the removal of malicious software (malware), but here you'll find free help and support for all your tech questions. We invite you to ask questions, share experiences, and learn. Explore our message boards, or register now to post messages of your own. Please Start Here. Register today (registration removes advertising)

What the Tech > Spyware / Malware / Virus Removal > HijackThis™ Logs and Infections Removal

2 Pages

1 2 >

[Resolved] Logger agent.chp , Suurcher on comp- very slow..?

Options

ussoace View Member Profile	Jun 21 2008, 01:54 PM Post #1
Authentic Member Group: Authentic Member Posts: 23 Joined: 28-October 07 Member No.: 73,843 Operating System: XP service pack 2	Hello (sadly again for a second time) I have come up with a problem yet again. Many clickable pictures on the internet does not work. I have run AVG anti spyware on it couple of times in safe mode to remove some files. But seems to be coming up with the same problems all the time. Heres a report of it after a couple of hours trying to fix it on my own. + Created at: 11:21:26 AM 6/21/2008 + Scan result: [1712] C:\WINDOWS\system32\jfiehayd.dll -> Downloader.Agent.lxt : Cleaned. [1116] C:\DOCUME~1\Kev\LOCALS~1\Temp\csrssc.exe -> Downloader.Suurch.ef : Cleaned. C:\flciijjq.exe -> Dropper.Agent.sbe : Cleaned. [820] VM_00BB1000 -> Logger.Agent.chp : Cleaned. C:\jfcjr.exe -> Trojan.Agent.gmo : Cleaned. ::Report end This is my HJT report... Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 3:46:17 PM, on 6/21/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\csrss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\drivers\spools.exe C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ctfmon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\System32\alg.exe C:\WINDOWS\explorer.exe C:\Program Files\Internet Explorer\iexplore.exe C:\DOCUME~1\Kev\LOCALS~1\Temp\RarSFX0\basic\setup.exe C:\WINDOWS\system32\rundll32.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe C:\WINDOWS\system32\wbem\wmiprvse.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: The Weather Channel Toolbar - {2E5E800E-6AC0-411E-940A-369530A35E43} - C:\WINDOWS\system32\TwcToolbarIe7.dll O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdwvp.exe] C:\WINDOWS\system32\kdwvp.exe O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto O4 - HKLM\..\Run: [30e29377] rundll32.exe "C:\WINDOWS\system32\hbtkgcvo.dll",b O4 - HKLM\..\Run: [autoload] C:\Documents and Settings\Kev\cftmon.exe O4 - HKLM\..\Run: [BM33d1a0eb] Rundll32.exe "C:\WINDOWS\system32\uhkflect.dll",s O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min O4 - HKCU\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Kev\LOCALS~1\Temp\csrssc.exe O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [autoload] C:\Documents and Settings\Kev\cftmon.exe O4 - HKUS\S-1-5-18\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'SYSTEM') O4 - HKUS\S-1-5-18\..\Run: [autoload] C:\Documents and Settings\LocalService\cftmon.exe (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\spools.exe (User 'Default user') O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1 O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file) O9 - Extra 'Tools' menuitem: The Weather Channel - {2E5E800E-6AC0-411E-940A-369530A35E43} - (no file) O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll O10 - Unknown file in Winsock LSP: c:\program files\iolo\common\firewall\ifw_xfilter.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab O17 - HKLM\System\CCS\Services\Tcpip\..\{24F8E0F8-04F9-4C2D-9922-FF155DB24FAC}: NameServer = 85.255.115.43,85.255.112.170 O17 - HKLM\System\CCS\Services\Tcpip\..\{95008A28-DE0F-4F99-A7E5-C9AF501D1A27}: NameServer = 85.255.115.43,85.255.112.170 O17 - HKLM\System\CCS\Services\Tcpip\..\{A3EC38AA-9E7B-4781-BDFE-9C154DEFD28E}: NameServer = 85.255.115.43,85.255.112.170 O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.170 O17 - HKLM\System\CS1\Services\Tcpip\..\{24F8E0F8-04F9-4C2D-9922-FF155DB24FAC}: NameServer = 85.255.115.43,85.255.112.170 O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.170 O17 - HKLM\System\CS2\Services\Tcpip\..\{24F8E0F8-04F9-4C2D-9922-FF155DB24FAC}: NameServer = 85.255.115.43,85.255.112.170 O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.43 85.255.112.170 O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing) O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Unknown owner - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe (file missing) O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\spools.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 8808 bytes Thank you very much for looking. This post has been edited by ussoace: Jun 21 2008, 02:37 PM

Rorschach112 View Member Profile	Jun 28 2008, 02:18 PM Post #2
SuperMember Group: Visiting Teacher Posts: 1,652 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello Please download RUNSCANNER to your desktop and run it. When the first page comes up select Beginner Mode On the next page select Save a binary .Run file (Recommended) then click Start full scan at the top. At this time Runscanner.exe may request access to the Internet through your firewall please allow it to do so, it will then run for two or three minutes. On completion it will ask for a location to save the file and a name. It will do this for both the .run file and the log Call the file *"Select a file name here"* and save it to your desktop. You will see the .run file on your desktop. Please zip the .run file by right clicking and selecting send to Zip file Then upload that as an attachment in your next post.

ussoace View Member Profile	Jun 29 2008, 09:42 PM Post #3
Authentic Member Group: Authentic Member Posts: 23 Joined: 28-October 07 Member No.: 73,843 Operating System: XP service pack 2	Thanks for helpin. Just to let you know, I had downloaded S -D the other day and was running that as well. Was coming up with alot more problems such as good old Smitfraud and some anti virus X.It has come apparent that my audio devices were some how uninstalled. Do not know how this happened, but i try to re-install and nothing will happen. Not sure if this is a malware problem or software. This post has been edited by ussoace: Jun 29 2008, 10:15 PM Attached File(s) Select_a_file_name_here.zip ( 87.41K ) Number of downloads: 2 Select_a_file_name_here.zip ( 87.41K ) Number of downloads: 1

Rorschach112 View Member Profile	Jun 30 2008, 06:41 AM Post #4
SuperMember Group: Visiting Teacher Posts: 1,652 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Hello Before we begin, you should save these instructions in Notepad to your desktop, or print them, for easy reference. Much of our fix will be done in Safe mode, and you will be unable to access this thread at that time. If you have questions at any point, or are unsure of the instructions, feel free to post here and ask for clarification before proceeding. Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% (Drive that contains the Windows Directory, typically C:\SDFix) Please then reboot your computer in Safe Mode by doing the following : Restart your computer After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually; Instead of Windows loading as normal, the Advanced Options Menu should appear; Select the first option, to run Windows in Safe Mode, then press Enter. Choose your usual account. Open the extracted SDFix folder and double click RunThis.bat to start the script. Type Y to begin the cleanup process. It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot. Press any Key and it will restart the PC. When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons. Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt (Report.txt will also be copied to Clipboard ready for posting back on the forum). Finally paste the contents of the Report.txt back on the forum. Download the zipped attachment at the end of this post(this will be your runscanner as fixed by me) Unzip it to your desktop then double click the runscanner icon this will run the program. Click on the "Item Fixer" tab You will notice several entries with a tick in red, click Fix checked. Accept the warning then repeat until they are all gone. Reboot and do this Please visit this web page for instructions for downloading and running ComboFix http://www.bleepingcomputer.com/combofix/how-to-use-combofix This includes installing the Windows XP Recovery Console in case you have not installed it yet. For more information on the Windows XP Recovery Console read http://support.microsoft.com/kb/314058. Once you install the Recovery Console, when you reboot your computer, you'll see the option for the Recovery Console now as well. Don't select Recovery Console as we don't need it. By default, your main OS is selected there. The screen stays for 2 seconds and then it proceeds to load Windows. That is normal. Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

ussoace View Member Profile	Jun 30 2008, 11:41 AM Post #5
Authentic Member Group: Authentic Member Posts: 23 Joined: 28-October 07 Member No.: 73,843 Operating System: XP service pack 2	Here is what you have requested all went smoothly. SDfix scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe::Enabled:iolo Firewallr" "C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe::Enabled:iolo AntiVirusr" "C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe::Enabled:iolo AntiVirusr Email Protection" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe::Enabled:Battlefield 2" "C:\\Program Files\\Ubisoft\\Eagle Dynamics\\Lock On\\LOCKON.EXE"="C:\\Program Files\\Ubisoft\\Eagle Dynamics\\Lock On\\LOCKON.EXE::Enabled:LOCK ON" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe::Enabled:AIM" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe::Enabled:BitTorrent" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" "C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe::Enabled:PnkBstrA" "C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe::Enabled:PnkBstrB" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\iw3mp.exe"="C:\\Program Files\\iw3mp.exe::Enabled:Call of Duty® 4 - Modern Warfare™ " "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Sat 26 Jan 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 14 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp" Finished! Combo Fix ComboFix 08-06-20.4 - Kev 2008-06-30 13:21:16.1 - NTFSx86 NETWORK Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.773 [GMT -4:00] Running from: C:\Documents and Settings\Kev\Desktop\ComboFix.exe WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !! . ((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))) . C:\WINDOWS\BM33d1a0eb.xml C:\WINDOWS\cookies.ini C:\WINDOWS\Downloaded Program Files\setup.inf C:\WINDOWS\pskt.ini C:\WINDOWS\system32\adJmmnmp.ini C:\WINDOWS\system32\adJmmnmp.ini2 C:\WINDOWS\system32\adsmsex.dll C:\WINDOWS\system32\aybIlUtv.ini C:\WINDOWS\system32\aybIlUtv.ini2 C:\WINDOWS\system32\bmf.cs C:\WINDOWS\system32\ccs.so C:\WINDOWS\system32\cxcdiaxe.ini C:\WINDOWS\system32\ddcCVOff.dll C:\WINDOWS\system32\ffgPYcfe.ini C:\WINDOWS\system32\ffgPYcfe.ini2 C:\WINDOWS\system32\fhigntnn.ini C:\WINDOWS\system32\gctufces.ini C:\WINDOWS\system32\hkiftogk.ini C:\WINDOWS\system32\ho.ln C:\WINDOWS\system32\ihbcfiuq.ini C:\WINDOWS\system32\jSBHknnn.ini C:\WINDOWS\system32\jSBHknnn.ini2 C:\WINDOWS\system32\ko.o C:\WINDOWS\system32\koltjqnn.ini C:\WINDOWS\system32\mcrh.tmp C:\WINDOWS\system32\mn.n C:\WINDOWS\system32\nnnkHBSj.dll C:\WINDOWS\system32\nnnlmJyY.dll C:\WINDOWS\system32\nvrsma.dll C:\WINDOWS\system32\OUDgQqss.ini C:\WINDOWS\system32\OUDgQqss.ini2 C:\WINDOWS\system32\ovcgktbh.ini C:\WINDOWS\system32\pmnmmJda.dll C:\WINDOWS\system32\qoMfebbA.dll C:\WINDOWS\system32\rqRLfcbX.dll C:\WINDOWS\system32\ufjjnhtb.ini C:\WINDOWS\system32\wphxepxj.ini C:\WINDOWS\system32\xIRBcJjl.ini C:\WINDOWS\system32\xIRBcJjl.ini2 . ((((((((((((((((((((((((( Files Created from 2008-05-28 to 2008-06-30 ))))))))))))))))))))))))))))))) . 2008-06-30 12:32 . 2008-06-30 12:32 <DIR> d-------- C:\WINDOWS\ERUNT 2008-06-30 12:25 . 2008-06-30 13:04 <DIR> d-------- C:\SDFix 2008-06-30 00:26 . 2008-06-30 00:26 <DIR> d-------- C:\WINDOWS\LastGood.Tmp 2008-06-30 00:26 . 2005-08-17 06:25 18,771,968 -ra------ C:\WINDOWS\system32\ALSNDMGR.CPL 2008-06-30 00:26 . 2005-08-17 06:21 10,458,112 -ra------ C:\WINDOWS\system32\RTLCPL.EXE 2008-06-30 00:26 . 2005-08-19 05:31 3,644,800 -ra------ C:\WINDOWS\system32\drivers\ALCXWDM.SYS 2008-06-30 00:26 . 2004-09-07 02:23 156,672 -ra------ C:\WINDOWS\system32\RTLCPAPI.dll 2008-06-30 00:26 . 2002-02-05 01:54 141,016 -ra------ C:\WINDOWS\system32\ALSNDMGR.WAV 2008-06-30 00:26 . 2005-08-17 06:39 90,112 -ra------ C:\WINDOWS\SOUNDMAN.EXE 2008-06-29 23:46 . 2008-06-29 23:46 169 --a------ C:\WINDOWS\RtlRack.ini 2008-06-29 16:30 . 2008-06-29 16:30 87,040 --a------ C:\WINDOWS\system32\jxpexhpw.dll 2008-06-29 16:28 . 2008-06-29 16:28 104,448 --a------ C:\WINDOWS\system32\ybkmntve.dll 2008-06-29 16:28 . 2008-06-29 16:28 104,448 --a------ C:\WINDOWS\system32\skjcxm.dll 2008-06-29 16:28 . 2008-06-29 16:28 95,232 --a------ C:\WINDOWS\system32\pslvssjt.dll 2008-06-29 16:20 . 2008-06-29 16:20 <DIR> d-------- C:\Documents and Settings\Administrator.PIECEOCRAP 2008-06-29 15:28 . 2008-06-29 15:28 104,448 --a------ C:\WINDOWS\system32\tazegt.dll 2008-06-29 15:28 . 2008-06-29 15:28 104,448 --a------ C:\WINDOWS\system32\hfhgxyib.dll 2008-06-29 15:25 . 2008-06-29 15:25 87,040 --a------ C:\WINDOWS\system32\quifcbhi.dll 2008-06-29 15:22 . 2008-06-29 15:22 95,232 --a------ C:\WINDOWS\system32\xnxxhmam.dll 2008-06-28 14:42 . 2008-06-28 14:42 104,960 --a------ C:\WINDOWS\system32\nbfflr.dll 2008-06-28 14:42 . 2008-06-28 14:42 104,960 --a------ C:\WINDOWS\system32\hthdfbia.dll 2008-06-28 14:39 . 2008-06-28 14:39 94,208 --a------ C:\WINDOWS\system32\qmgbethb.dll 2008-06-27 14:38 . 2008-06-27 14:38 104,960 --a------ C:\WINDOWS\system32\kesbcw.dll 2008-06-27 14:38 . 2008-06-27 14:38 104,960 --a------ C:\WINDOWS\system32\fhoaogvd.dll 2008-06-27 14:38 . 2008-06-27 14:38 87,040 --a------ C:\WINDOWS\system32\exaidcxc.dll 2008-06-27 14:37 . 2008-06-27 14:37 94,208 --a------ C:\WINDOWS\system32\kwiyduvf.dll 2008-06-26 17:20 . 2008-06-26 17:20 107,008 --a------ C:\WINDOWS\system32\noiqolqv.dll 2008-06-26 17:18 . 2008-06-26 17:18 95,232 --a------ C:\WINDOWS\system32\ymvdobtn.dll 2008-06-24 01:04 . 2008-06-24 01:04 106,496 --a------ C:\WINDOWS\system32\pmadqsox.dll 2008-06-24 01:02 . 2008-06-24 01:02 86,528 --a------ C:\WINDOWS\system32\kgotfikh.dll 2008-06-24 01:01 . 2008-06-24 01:02 95,232 --a------ C:\WINDOWS\system32\eiyegqbb.dll 2008-06-24 00:31 . 2008-06-28 14:50 269 --a------ C:\WINDOWS\wininit.ini 2008-06-23 11:04 . 2008-06-23 11:04 106,496 --a------ C:\WINDOWS\system32\ndfsfxml.dll 2008-06-23 11:00 . 2008-06-23 11:00 95,232 --a------ C:\WINDOWS\system32\tjlifdii.dll 2008-06-22 10:20 . 2008-06-22 10:20 101,888 --a------ C:\WINDOWS\system32\mvjcjldk.dll 2008-06-22 10:16 . 2008-06-22 10:16 95,232 --a------ C:\WINDOWS\system32\gyhnulsy.dll 2008-06-21 16:10 . 2008-06-21 16:10 <DIR> d-------- C:\Program Files\Panda Security 2008-06-21 15:46 . 2008-06-21 15:46 <DIR> d-------- C:\Program Files\Trend Micro 2008-06-21 15:39 . 2008-06-21 15:39 <DIR> d-------- C:\Program Files\Avira 2008-06-21 15:39 . 2008-06-21 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira 2008-06-21 11:16 . 2008-06-21 11:16 101,888 --a------ C:\WINDOWS\system32\nbbmxdbr.dll 2008-06-21 11:14 . 2008-06-21 11:14 94,208 --a------ C:\WINDOWS\system32\uhkflect.dll 2008-06-21 01:20 . 2008-06-21 01:20 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Grisoft 2008-06-21 01:20 . 2008-06-21 02:01 <DIR> d---s---- C:\Documents and Settings\Administrator 2008-06-20 14:07 . 2008-06-21 02:01 <DIR> d-------- C:\Program Files\PCHealthCenter 2008-06-19 23:17 . 2008-06-21 02:01 <DIR> d-------- C:\Program Files\Condor 2008-06-18 17:23 . 2008-06-18 17:23 <DIR> d-------- C:\Program Files\CondorSceneryToolkit 2008-06-16 23:20 . 2008-06-16 23:20 <DIR> d-------- C:\Program Files\Common Files\DirectX 2008-06-10 16:20 . 2008-04-14 07:01 272,128 --a------ C:\WINDOWS\system32\drivers\bthport.sys 2008-06-10 16:20 . 2008-04-14 07:01 272,128 -----c--- C:\WINDOWS\system32\dllcache\bthport.sys 2008-06-09 18:54 . 2008-06-09 18:54 <DIR> d-------- C:\WINDOWS\Profiles 2008-06-09 18:54 . 2008-06-09 18:54 <DIR> d-------- C:\Documents and Settings\Kev\WINDOWS 2008-06-09 18:54 . 2008-06-09 18:54 <DIR> d-------- C:\Documents and Settings\Kev\Application Data\Leadertech 2008-06-09 18:10 . 2008-06-09 18:55 <DIR> d-------- C:\Program Files\viewsonic 2008-06-09 18:09 . 2008-06-10 16:25 101 --a------ C:\WINDOWS\VSWizard.ini 2008-05-28 06:20 . 2008-05-28 06:20 268 --ah----- C:\sqmdata04.sqm 2008-05-28 06:20 . 2008-05-28 06:20 244 --ah----- C:\sqmnoopt04.sqm 2008-05-25 10:57 . 2008-04-28 14:25 4,224 --a------ C:\WINDOWS\system32\drivers\NVStrap.sys 2008-05-25 10:52 . 2008-05-25 10:53 <DIR> d-------- C:\Program Files\RivaTuner v2.09 2008-05-22 17:08 . 2008-05-22 17:08 <DIR> d-------- C:\WINDOWS\nvidia icons 2008-05-22 17:08 . 2008-05-02 22:46 182,347 --a------ C:\WINDOWS\system32\nvapps.nvb 2008-05-22 17:04 . 2008-05-22 17:04 <DIR> d-------- C:\Program Files\SystemRequirementsLab 2008-05-02 22:46 . 2008-05-02 22:46 1,241,088 --a------ C:\WINDOWS\system32\nvcuda.dll . (((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2008-06-30 04:19 --------- d-----w C:\Program Files\AvRack 2008-06-29 20:50 --------- d-----w C:\Program Files\DivX 2008-06-24 20:41 --------- d-----w C:\Documents and Settings\Kev\Application Data\Azureus 2008-06-24 19:57 --------- d-----w C:\Documents and Settings\Kev\Application Data\teamspeak2 2008-06-24 04:29 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy 2008-06-24 04:13 --------- d-----w C:\Program Files\Spybot - Search & Destroy 2008-06-22 15:15 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys 2008-06-22 03:36 --------- d-----w C:\Program Files\The Weather Channel FW 2008-06-20 03:20 --------- d-----w C:\Documents and Settings\Kev\Application Data\LimeWire 2008-06-19 19:49 --------- d-----w C:\Program Files\Azureus 2008-06-19 03:35 --------- d-----w C:\Documents and Settings\Kev\Application Data\Apple Computer 2008-06-19 03:30 --------- d--h--w C:\Program Files\p 2008-06-19 03:27 --------- d-----w C:\Program Files\Activision 2008-06-14 00:01 --------- d-----w C:\Program Files\HyperLobbyPro3 2008-06-10 20:25 --------- d--h--w C:\Program Files\InstallShield Installation Information 2008-05-28 00:56 --------- d-----w C:\Documents and Settings\Kev\Application Data\AdobeUM 2008-05-08 12:28 202,752 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys 2008-05-03 02:46 6,554,496 ----a-w C:\WINDOWS\system32\drivers\nv4_mini.sys 2008-03-03 20:38 2,193 ----a-w C:\Program Files\install.log 2008-01-03 00:06 22,328 ----a-w C:\Documents and Settings\Kev\Application Data\PnkBstrK.sys 2007-12-18 17:06 155 ----a-w C:\Program Files\version.inf 2007-12-18 00:33 3,334,144 ----a-w C:\Program Files\iw3mp.exe 2007-11-28 23:28 4,278,011,754 ----a-w C:\Program Files\Call of Duty 4 - Modern Warfare.daa 2007-11-28 23:15 303,419 ----a-w C:\Program Files\Feb2006_d3dx9_29_x86.cab 2007-11-24 23:27 2,978,960 ----a-w C:\Program Files\servercache.dat 2007-11-15 19:56 4,500,188 ----a-w C:\Program Files\iw3sp.exe 2007-10-22 11:49 867,848 ----a-w C:\Program Files\NOV2007_d3dx10_36_x64.cab 2007-10-22 11:49 807,132 ----a-w C:\Program Files\NOV2007_d3dx10_36_x86.cab 2007-10-22 11:49 49,392 ----a-w C:\Program Files\NOV2007_X3DAudio_x64.cab 2007-10-22 11:49 44,850 ----a-w C:\Program Files\dxdllreg_x86.cab 2007-10-22 11:49 21,744 ----a-w C:\Program Files\NOV2007_X3DAudio_x86.cab 2007-10-22 11:49 200,010 ----a-w C:\Program Files\NOV2007_XACT_x64.cab 2007-10-22 11:49 151,512 ----a-w C:\Program Files\NOV2007_XACT_x86.cab 2007-10-22 11:49 1,805,306 ----a-w C:\Program Files\NOV2007_d3dx9_36_x64.cab 2007-10-22 11:49 1,712,608 ----a-w C:\Program Files\NOV2007_d3dx9_36_x86.cab 2007-10-04 23:14 2,482 ----a-w C:\Program Files\localization.txt 2007-10-04 23:14 109,976 ----a-w C:\Program Files\codlogo.bmp 2007-10-04 23:14 1,105,976 ----a-w C:\Program Files\cod.bmp 2002-09-11 14:26 63,730 ----a-w C:\Program Files\viewsonicinstruct_xp.pdf . C:\WINDOWS\system32\user32.dll ... is infected !! (additional data below) 577,024 2005-03-02 18:19:56 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll 578,048 2007-03-08 15:48:36 C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll 577,024 2004-08-04 12:00:00 C:\WINDOWS\$NtUninstallKB890859$\user32.dll 577,024 2005-03-02 18:09:30 C:\WINDOWS\$NtUninstallKB925902$\user32.dll 577,536 2008-06-20 03:32:12 C:\WINDOWS\system32\user32.DLL 577,536 2008-06-20 03:32:12 C:\WINDOWS\system32\dllcache\user32.dll ------- Sigcheck ------- 2005-03-02 14:19 577024 1800f293bccc8ede8a70e12b88d80036 C:\WINDOWS\$hf_mig$\KB890859\SP2QFE\user32.dll 2007-03-08 11:48 578048 7aa4f6c00405dfc4b70ed4214e7d687b C:\WINDOWS\$hf_mig$\KB925902\SP2QFE\user32.dll 2004-08-04 08:00 577024 c72661f8552ace7c5c85e16a3cf505c4 C:\WINDOWS\$NtUninstallKB890859$\user32.dll 2005-03-02 14:09 577024 de2db164bbb35db061af0997e4499054 C:\WINDOWS\$NtUninstallKB925902$\user32.dll 2008-06-19 23:32 577536 93ff317151be6233ed8023922a64cccc C:\WINDOWS\system32\user32.DLL 2008-06-19 23:32 577536 93ff317151be6233ed8023922a64cccc C:\WINDOWS\system32\dllcache\user32.dll . ((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))) . . Note empty entries & legit default entries are not shown REGEDIT4 [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{49ea7a70-70cb-4229-8cfd-3ce45c8f3b9b}] 2008-06-29 16:28 104448 --a------ C:\WINDOWS\system32\skjcxm.dll [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 08:00 15360] "Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 12:15 50528] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2008-05-02 22:46 13529088] "C:\WINDOWS\system32\kdwvp.exe"="C:\WINDOWS\system32\kdwvp.exe" [ ] "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-12-14 17:44 185896] "SoundMan"="SOUNDMAN.EXE" [2005-08-17 06:39 90112 C:\WINDOWS\SOUNDMAN.EXE] [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows] "AppInit_DLLs"=ndfsfxml.dll pmadqsox.dll [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32] "aux"= ctwdm32.dll "aux1"= ctwdm32.dll [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk] path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup [HKLM\~\startupfolder\C:^Documents and Settings^Kev^Start Menu^Programs^Startup^hamachi.lnk] path=C:\Documents and Settings\Kev\Start Menu\Programs\Startup\hamachi.lnk backup=C:\WINDOWS\pss\hamachi.lnkStartup [HKLM\~\startupfolder\C:^Documents and Settings^Kev^Start Menu^Programs^Startup^LimeWire On Startup.lnk] path=C:\Documents and Settings\Kev\Start Menu\Programs\Startup\LimeWire On Startup.lnk backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\!AVG Anti-Spyware] --a------ 2007-06-11 05:25 6731312 C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\76810027622485058484857164461718] C:\Program Files\XP Antivirus\xpa.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher] --a------ 2007-10-10 20:51 39792 C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioHQ] C:\Program Files\Creative\SBLive2k\AudioHQ\AHQTB.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload] C:\Documents and Settings\Kev\cftmon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools] --a------ 2007-12-12 09:09 167368 C:\Program Files\DAEMON Tools\daemon.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4] --------- 2007-12-20 09:10 715888 C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dw6] --a------ 2008-06-10 16:18 785520 C:\Program Files\The Weather Channel FW\Desktop\DesktopWeather.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Component Manager] --a------ 2004-05-12 19:18 241664 C:\Program Files\HP\hpcoretech\hpcmpmgr.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update] --a------ 2004-02-12 17:38 49152 C:\Program Files\HP\HP Software Update\HPWuSchd2.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPHUPD06] --a------ 2004-06-07 00:53 49152 C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper] --a------ 2008-03-30 10:36 267048 C:\Program Files\iTunes\iTunesHelper.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Jet Detection] C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kernelfaultcheck] C:\WINDOWS\system32\dumprep 0 -k [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe] c:\PROGRA~1\mcafee.com\agent\mcupdate.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS] --a------ 2004-10-13 12:24 1694208 C:\Program Files\Messenger\msmsgs.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz] --a------ 2008-05-02 22:46 1630208 C:\WINDOWS\system32\nwiz.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt] C:\Program Files\McAfee.com\VSO\oasclnt.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE] --a------ 2007-04-09 08:23 200704 C:\Program Files\PowerISO\PWRISOVM.EXE [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task] --a------ 2008-03-28 23:37 413696 C:\Program Files\QuickTime\qttask.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer] -rahs---- 2008-01-28 11:43 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched] --a------ 2007-07-12 05:00 132496 C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe] --a------ 2007-12-14 17:44 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomTomHOME.exe] C:\Program Files\TomTom HOME 2\HOMERunner.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr] -ra------ 2006-03-30 17:45 313472 C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask] C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile] "EnableFirewall"= 0 (0x0) [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List] "%windir%\\system32\\sessmgr.exe"= "%windir%\\Network Diagnostic\\xpnetdiag.exe"= "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"= "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"= "C:\\Program Files\\Ubisoft\\Eagle Dynamics\\Lock On\\LOCKON.EXE"= "C:\\Program Files\\AIM6\\aim6.exe"= "C:\\WINDOWS\\system32\\PnkBstrA.exe"= "C:\\WINDOWS\\system32\\PnkBstrB.exe"= "C:\\Program Files\\LimeWire\\LimeWire.exe"= "C:\\Program Files\\iw3mp.exe"= "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"= "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"= "C:\\Program Files\\iTunes\\iTunes.exe"= [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List] "55057:TCP"= 55057:TCP:utorrent R0 sfdrv01a;StarForce Protection Environment Driver (version 1.x.a);C:\WINDOWS\system32\drivers\sfdrv01a.sys [2006-07-05 08:46] R0 XPacket;iolo Personal Firewall Driver;C:\WINDOWS\system32\xpacket.sys [2007-10-02 16:41] R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 17:38] R3 PPJoyBus;Parallel Port Joystick Bus device driver;C:\WINDOWS\system32\drivers\PPJoyBus.sys [2004-10-24 09:11] R3 vidcap;vidcap;C:\WINDOWS\system32\DRIVERS\vidcap.sys [2006-12-27 10:47] S0 NVStrap;NVStrap;C:\WINDOWS\system32\drivers\NVStrap.sys [2008-04-28 14:25] . Contents of the 'Scheduled Tasks' folder "2008-06-13 23:34:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job" - C:\Program Files\Apple Software Update\SoftwareUpdate.exe "2008-06-20 03:13:00 C:\WINDOWS\Tasks\HP Usg Daily.job" - C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\pexpress\hphped05.exe . ************************************************************************ catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-30 13:25:09 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden autostart entries ... scanning hidden files ... scan completed successfully hidden files: 0 ********************************************************************** . --------------------- DLLs Loaded Under Running Processes --------------------- PROCESS: C:\WINDOWS\system32\lsass.exe -> C:\WINDOWS\system32\iavlsp.dll . ------------------------ Other Running Processes ------------------------ . C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wscntfy.exe . ************************************************************************ . Completion time: 2008-06-30 13:35:09 - machine was rebooted ComboFix-quarantined-files.txt 2008-06-30 17:35:05 Pre-Run: 156,947,476,480 bytes free Post-Run: 157,419,741,184 bytes free 317 --- E O F --- 2008-06-13 08:03:06 HJT Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 1:38:32 PM, on 6/30/2008 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v7.00 (7.00.6000.16674) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe C:\WINDOWS\system32\nvsvc32.exe C:\WINDOWS\system32\PnkBstrA.exe C:\WINDOWS\system32\PnkBstrB.exe C:\WINDOWS\system32\svchost.exe C:\Program Files\Viewpoint\Common\ViewpointService.exe C:\Program Files\Common Files\Real\Update_OB\realsched.exe C:\WINDOWS\SOUNDMAN.EXE C:\WINDOWS\system32\ctfmon.exe C:\Program Files\AIM6\aim6.exe C:\Program Files\AIM6\aolsoftware.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\msiexec.exe C:\WINDOWS\system32\wscntfy.exe C:\WINDOWS\explorer.exe C:\WINDOWS\system32\notepad.exe C:\WINDOWS\system32\wuauclt.exe C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files\Trend Micro\HijackThis\HijackThis.exe R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157 R3 - URLSearchHook: (no name) - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - (no file) R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file) O2 - BHO: {b9b3f8c5-4ec3-dfc8-9224-bc0707a7ae94} - {49ea7a70-70cb-4229-8cfd-3ce45c8f3b9b} - C:\WINDOWS\system32\skjcxm.dll O2 - BHO: Spybot-S&D IE Protection - {53707962-6f74-2d53-2644-206d7942484f} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O3 - Toolbar: AIM Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdwvp.exe] C:\WINDOWS\system32\kdwvp.exe O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aim toolbar 5.0\resources\en-US\local\search.html O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000 O9 - Extra button: AIM Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AIM Toolbar 5.0\aoltb.dll O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL O9 - Extra button: (no name) - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {dfb852a3-47f8-48c4-a200-58cab36fd2a2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O10 - Unknown file in Winsock LSP: c:\windows\system32\iavlsp.dll O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204 O16 - DPF: {2d8ed06d-3c30-438b-96ae-4d110fdc1fb8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.com/content/DriverDownlo.../sysreqlab2.cab O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab O16 - DPF: {8BBDC81D-81B3-49EE-87E8-47B7A707FAE8} (GoToMeeting/GoToWebinar Web Starter) - https://www1.gotomeeting.com/default/applets/g2mdlax.cab O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://crucial.com/controls/cpcScanner.cab O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15034/CTPID.cab O20 - AppInit_DLLs: ndfsfxml.dll pmadqsox.dll O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe (file missing) O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe O23 - Service: PnkBstrA (pnkbstra) - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe O23 - Service: PnkBstrB (pnkbstrb) - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe -- End of file - 6527 bytes

Rorschach112 View Member Profile	Jun 30 2008, 11:53 AM Post #6
SuperMember Group: Visiting Teacher Posts: 1,652 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Can you post all the SDFix log please You need to install the Recovery Console and run ComboFix again

ussoace View Member Profile	Jun 30 2008, 12:01 PM Post #7
Authentic Member Group: Authentic Member Posts: 23 Joined: 28-October 07 Member No.: 73,843 Operating System: XP service pack 2	Yea sorry didn't notice whole thing didn't go through. And i installed console after i did combo, guess I should redo anyways. SDFix: Version 1.199 Run by Kev on Mon 06/30/2008 at 12:56 PM Microsoft Windows XP [Version 5.1.2600] Running From: C:\SDFix Checking Services : Name : pqasghjd Path : pqasghjd - Deleted Restoring Default Security Values Restoring Default Hosts File Restoring Default Schedule Service Path Rebooting Checking Files : Trojan Files Found: C:\WINDOWS\system32\mlJAqpnM.dll - Deleted C:\WINDOWS\SYSTEM32\ASC94.DLL - Deleted C:\WINDOWS\SYSTEM32\SIGMA32.DLL - Deleted C:\WINDOWS\system32\kdwvp.exe - Deleted C:\Documents and Settings\Kev\cftmon.exe - Deleted C:\WINDOWS\system32\mlJAqpnM.dll - Deleted C:\WINDOWS\SYSTEM32\ASC94.DLL - Deleted C:\WINDOWS\SYSTEM32\SIGMA32.DLL - Deleted C:\WINDOWS\SYSTEM32\ASC94.DLL - Deleted C:\WINDOWS\SYSTEM32\SIGMA32.DLL - Deleted C:\WINDOWS\SYSTEM32\ASC94.DLL - Deleted C:\WINDOWS\SYSTEM32\SIGMA32.DLL - Deleted C:\WINDOWS\system32\kdwvp.exe - Deleted C:\Documents and Settings\Kev\cftmon.exe - Deleted C:\Documents and Settings\LocalService\cftmon.exe - Deleted C:\Program Files\VAV\vav0.dat - Deleted C:\Program Files\VAV\vav1.dat - Deleted C:\DOCUME~1\Kev\LOCALS~1\Temp\calc.exe - Deleted C:\DOCUME~1\Kev\LOCALS~1\Temp\lprn32.exe - Deleted C:\DOCUME~1\Kev\LOCALS~1\Temp\media.php.bat - Deleted C:\DOCUME~1\Kev\LOCALS~1\Temp\notepad.exe - Deleted C:\WINDOWS\system32\drivers\spools.exe - Deleted C:\WINDOWS\system32\pqasghjd.sys - Deleted Folder C:\Program Files\VAV - Removed Removing Temp Files ADS Check : Final Check : catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net Rootkit scan 2008-06-30 13:01:18 Windows 5.1.2600 Service Pack 2 NTFS scanning hidden processes ... scanning hidden services & system hive ... [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg] "s1"=dword:2df9c43f "s2"=dword:110480d0 "h0"=dword:00000001 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:44,f8,e7,22,d5,e3,7e,9a,89,49,4d,72,e9,fe,1b,a2,94,ec,0a,a2,7a,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,81,2d,df,46,6e,d9,c6,4d,21,ff,00,c7,df,93,3f,a8,c7,.. "khjeh"=hex:72,6b,15,d8,77,f3,0a,20,a2,5a,08,56,05,05,bb,eb,29,37,93,e8,8f,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:0a,9a,47,f5,18,9b,01,eb,55,f1,13,54,ad,ff,74,53,58,63,09,f1,2a,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:56,51,a2,d9,dc,4e,ad,e3,44,0e,72,a2,b4,65,77,a8,f8,1e,3f,51,06,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] "khjeh"=hex:56,51,a2,d9,dc,4e,ad,e3,44,0e,72,a2,b4,65,77,a8,f8,1e,3f,51,06,.. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] "khjeh"=hex:56,51,a2,d9,dc,4e,ad,e3,44,0e,72,a2,b4,65,77,a8,f8,1e,3f,51,06,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4] "p0"="C:\Program Files\DAEMON Tools\" "h0"=dword:00000000 "khjeh"=hex:44,f8,e7,22,d5,e3,7e,9a,89,49,4d,72,e9,fe,1b,a2,94,ec,0a,a2,7a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001] "a0"=hex:20,01,00,00,81,2d,df,46,6e,d9,c6,4d,21,ff,00,c7,df,93,3f,a8,c7,.. "khjeh"=hex:72,6b,15,d8,77,f3,0a,20,a2,5a,08,56,05,05,bb,eb,29,37,93,e8,8f,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40] "khjeh"=hex:0a,9a,47,f5,18,9b,01,eb,55,f1,13,54,ad,ff,74,53,58,63,09,f1,2a,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41] "khjeh"=hex:56,51,a2,d9,dc,4e,ad,e3,44,0e,72,a2,b4,65,77,a8,f8,1e,3f,51,06,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42] "khjeh"=hex:56,51,a2,d9,dc,4e,ad,e3,44,0e,72,a2,b4,65,77,a8,f8,1e,3f,51,06,.. [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43] "khjeh"=hex:56,51,a2,d9,dc,4e,ad,e3,44,0e,72,a2,b4,65,77,a8,f8,1e,3f,51,06,.. scanning hidden registry entries ... [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{DCFFFE81-3661-3E72-ADA5-C78B6BF5FC09}] "abmfjohldhiekidoeojbnnpkefaabbckgk"=hex:61,61,00,00 "bbmfjohldhiekidoeoccebbgmhmplaboomml"=hex:61,61,00,00 scanning hidden files ... scan completed successfully hidden processes: 0 hidden services: 0 hidden files: 0 Remaining Services : Authorized Application Key Export: [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\Personal Firewall\\ioloFW.exe::Enabled:iolo Firewallr" "C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\ioloAV.exe::Enabled:iolo AntiVirusr" "C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe"="C:\\Program Files\\iolo\\System Mechanic Professional 7\\AntiVirus\\iAVEmailScanner.exe::Enabled:iolo AntiVirusr Email Protection" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe::Enabled:AOL Loader" "C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe"="C:\\Program Files\\EA GAMES\\Battlefield 2\\BF2.exe::Enabled:Battlefield 2" "C:\\Program Files\\Ubisoft\\Eagle Dynamics\\Lock On\\LOCKON.EXE"="C:\\Program Files\\Ubisoft\\Eagle Dynamics\\Lock On\\LOCKON.EXE::Enabled:LOCK ON" "C:\\Program Files\\AIM6\\aim6.exe"="C:\\Program Files\\AIM6\\aim6.exe::Enabled:AIM" "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe::Enabled:BitTorrent" "C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe::Enabled:æTorrent" "C:\\WINDOWS\\system32\\PnkBstrA.exe"="C:\\WINDOWS\\system32\\PnkBstrA.exe::Enabled:PnkBstrA" "C:\\WINDOWS\\system32\\PnkBstrB.exe"="C:\\WINDOWS\\system32\\PnkBstrB.exe::Enabled:PnkBstrB" "C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe::Enabled:LimeWire" "C:\\Program Files\\iw3mp.exe"="C:\\Program Files\\iw3mp.exe::Enabled:Call of Duty® 4 - Modern Warfare™ " "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" "C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe::Enabled:iTunes" [HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list] "%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe::enabled:@xpsp2res.dll,-22019" "%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe::Enabled:@xpsp3res.dll,-20000" "C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe::Enabled:Windows Live Messenger" "C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe::Enabled:Windows Live Messenger (Phone)" Remaining Files : File Backups: - C:\SDFix\backups\backups.zip Files with Hidden Attributes : Mon 28 Jan 2008 1,404,240 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SDUpdate.exe" Mon 28 Jan 2008 5,146,448 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" Mon 28 Jan 2008 2,097,488 A.SHR --- "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" Sat 26 Jan 2008 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak" Wed 14 Nov 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp" Wed 7 May 2008 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\fd0264849c01086f3c6b505dc02dbd44\BIT3.tmp" Finished!

Rorschach112 View Member Profile	Jun 30 2008, 12:07 PM Post #8
SuperMember Group: Visiting Teacher Posts: 1,652 Joined: 29-September 07 Member No.: 73,164 Operating System: Windows XP	Ok if you installed the recovery console just reboot and go and run ComboFix then