WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. Join 93083 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!

Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

[Resolved] TROJAN DROPPER help!

Started by bernie83 , Apr 12 2008 07:35 AM

This topic is locked

16 replies to this topic

#1 bernie83

New Member

New Member
8 posts

Posted 12 April 2008 - 07:35 AM

Hi, my computer became infected with a Trojan Dropper, the precise name of which i can't remember, just over a week ago. Since this initial trojan, which i tried to remove with a range of programs, such as AVG, Zone Alarm, Windows Defender and A squared, the trojan seems to have multiplied or mutated or something, into new problems. Windows defender and Zone alarm have recently been finding 'Packed.Win32.monder', 'Adaware Virtumonde', 'Trojan.Win32.killAV.rf', 'Trojan.win32.conhook.d' and possibly a couple more. (I am typing some of these from memory so I may have got some dots in the wrong places).

When I boot the computer I get an error message which reads:

ERROR LOADING: C:\WINDOWS\system32\ogcrppaq.dll

and another which reads:

ERROR LOADING: C:\WINDOWS\system32\abxdwjrm.dll

I have taken all the preliminary steps (running the cleaner and spybot) and here is my first 'Hijack This' log.

Hope this is enough info, Thanks.

PS, should i copy and paste future logs, or save as attachment?

Logfile of HijackThis v1.99.1
Scan saved at 14:19:55, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\ssqOGXOe.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {772E44A8-9FA8-487C-BDB3-757AB75A10DA} - C:\WINDOWS\system32\opnkhfDT.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CB4FFF74-07E0-415B-AD73-25EDAE95C85B} - C:\WINDOWS\system32\xxyyxusq.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM8b10d1cb] Rundll32.exe "C:\WINDOWS\system32\ogcrppaq.dll",s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [8823e257] rundll32.exe "C:\WINDOWS\system32\abxdwjrm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196432714629
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O20 - Winlogon Notify: ssqOGXOe - ssqOGXOe.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Advertisements

Register to Remove

#2 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 12 April 2008 - 07:38 AM

Hi

First of all, could you uninstall your copy of HijackThis and follow these instructions to install the newer version.

Install HijackThis

Download HJTInstall.exe to your Desktop.
Doubleclick HJTInstall.exe to install it.
By default it will install to C:\Program Files\Trend Micro\HijackThis .
Click on Install.
It will create a HijackThis icon on the desktop.
Once installed, it will launch Hijackthis.
Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
Copy/Paste the log to your next reply please.

Don't use the Analyse This button, its findings are dangerous if misinterpreted.
Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.

Please make a uninstall list using HijackThis
To access the Uninstall Manager you would do the following:

1. Start HijackThis
2. Click on the Config button
3. Click on the Misc Tools button
4. Click on the Open Uninstall Manager button.
5. Click on the Save list... button and specify where you would like to save this file. When you press Save button a notepad will open with the contents of that file. Simply copy and paste the contents of that notepad here in a reply.

You too could train to help others- Join the Classroom

#3 bernie83

New Member

New Member
8 posts

Posted 12 April 2008 - 07:50 AM

Hi, Cheers for getting back so quickly...

Heres the new hijack this log, and the uninstall manager log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:45:56, on 12/04/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: (no name) - {060BB0AB-4B09-4C51-9ECB-9580A6D08D7F} - C:\WINDOWS\system32\ssqOGXOe.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {772E44A8-9FA8-487C-BDB3-757AB75A10DA} - C:\WINDOWS\system32\opnkhfDT.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CB4FFF74-07E0-415B-AD73-25EDAE95C85B} - C:\WINDOWS\system32\xxyyxusq.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM8b10d1cb] Rundll32.exe "C:\WINDOWS\system32\ogcrppaq.dll",s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [8823e257] rundll32.exe "C:\WINDOWS\system32\abxdwjrm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196432714629
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O20 - Winlogon Notify: ssqOGXOe - ssqOGXOe.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7897 bytes

ABBYY FineReader 4.0 Sprint
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Adobe Flash Player ActiveX
Apple Mobile Device Support
Apple Software Update
BitComet 0.97
CloneDVD2
Creative Removable Disk Manager
Creative Software AutoUpdate
Creative System Information
Creative ZEN V Series (R2)
Crush'Em 2.0
dBpoweramp Aiff Codec
Diamond 1200Plus v1.0
DVD Decrypter (Remove Only)
DVD-CLONER V5.10 Build 966
Free Audio Converter 3.4.0.2
Google Earth
Google Toolbar for Internet Explorer
Google Toolbar for Internet Explorer
HijackThis 2.0.2
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB896344)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
iTunes
Java™ 6 Update 2
Java™ 6 Update 3
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft User-Mode Driver Framework Feature Pack 1.0
Nero OEM
NVIDIA Drivers
NvMixer
OpenOffice.org 2.3
PowerDVD
Puzzl'Em 1.0 Beta2
QuickTime
Realtek AC'97 Audio
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB939653)
Security Update for Windows Internet Explorer 7 (KB942615)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938127)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB939653)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Serif PhotoPlus 6.0
Spybot - Search & Destroy
Switch
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB925876)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
VideoLAN VLC media player 0.8.6d
WavePad Uninstall
Windows Backup Utility
Windows Defender
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Format SDK Hotfix - KB891122
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
Worms World Party
Zipeg
ZoneAlarm Security Suite

#4 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 12 April 2008 - 08:12 AM

Hi

Disable Windows Defender until the computer is clean

Windows Defender normally provides real-time protection from spyware, however it may interfere with what we need to do. We will disable it until the machine is clean when it can be re-enabled.

- Open Windows Defender
- Select Tools and then General Settings
- Under Real Time Protection Options uncheck Turn on real-time protection
- Select Save
Don't forget to re-enable it, when your computer is clean.

If you already have Combofix, please delete that copy and download it again as it's being updated regularly.

There is a tutorial on the basic use of Combofix here:
http://www.bleepingc...to-use-combofix

Please download Combofix from Bleeping Computer.

If you can't download it from there, please try these 2 alternative sites:

Forospyware
Geeks to Go

Save it to your Desktop.
Disconnect from the Internet, than disable your anti-virus and any real-time anti-spyware monitors that are running.
Click Start>Run copy/paste or type "%userprofile%\desktop\combofix.exe" /killall into the Run box and click OK.
When finished, it shall produce a log for you. Post that log in your next reply with a new HijackThis log.

1.Do not mouse-click Combofix's window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer's settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

In your next reply post:
ComboFix.txt
New HijackThis log taken after the above scan has run

You too could train to help others- Join the Classroom

#5 bernie83

New Member

New Member
8 posts

Posted 12 April 2008 - 11:32 AM

hi, here are the two new logs.

I disabled Zone Alarm, and left my computer, which then logged me out as a user. when i logged back in i think zone alarm must have come on automatically again, because towards the end, as it was running the final couple of sections, some zone alarm warnings began to come up. will this have adversely affected the reading? if so i'll do another one, but here it is anyway.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:24, on 2008-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {772E44A8-9FA8-487C-BDB3-757AB75A10DA} - C:\WINDOWS\system32\opnkhfDT.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: (no name) - {CB4FFF74-07E0-415B-AD73-25EDAE95C85B} - C:\WINDOWS\system32\xxyyxusq.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [BM8b10d1cb] Rundll32.exe "C:\WINDOWS\system32\ogcrppaq.dll",s
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [8823e257] rundll32.exe "C:\WINDOWS\system32\abxdwjrm.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196432714629
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O20 - Winlogon Notify: ssqOGXOe - ssqOGXOe.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7635 bytes

ComboFix 08-04-11.8 - Bernie 2008-04-12 18:04:05.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.232 [GMT 1:00]
Running from: C:\Documents and Settings\Bernie\desktop\combofix.exe
Command switches used :: /killall

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM8b10d1cb.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\mrjwdxba.ini
C:\WINDOWS\system32\qsuxyyxx.ini
C:\WINDOWS\system32\qsuxyyxx.ini2
C:\WINDOWS\system32\TDfhknpo.ini
C:\WINDOWS\system32\TDfhknpo.ini2
C:\WINDOWS\system32\wyFgiRqr.ini
C:\WINDOWS\system32\wyFgiRqr.ini2

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-12 14:45 . 2008-04-12 14:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 23:36 . 2008-04-10 23:37 153 --a------ C:\WINDOWS\wininit.ini
2008-04-10 23:26 . 2008-04-10 23:26 30,760 --a------ C:\WINDOWS\system32\ugyodoma.exe
2008-04-10 22:56 . 2008-04-10 22:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 22:56 . 2008-04-12 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-07 19:56 . 2008-04-07 19:56 30,760 --a------ C:\WINDOWS\system32\gybymtoh.exe
2008-04-05 23:59 . 2008-04-05 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-03 12:57 . 2008-04-03 12:57 <DIR> d-------- C:\Documents and Settings\Jonny\Application Data\MailFrontier
2008-04-01 22:37 . 2008-04-01 22:37 <DIR> d-------- C:\Documents and Settings\Bernie\Application Data\MailFrontier
2008-04-01 18:47 . 2008-04-01 18:47 <DIR> d-------- C:\Documents and Settings\Owen\Application Data\MailFrontier
2008-04-01 13:42 . 2008-04-12 17:58 959 --a------ C:\rollback.ini
2008-04-01 12:44 . 2008-04-03 19:08 512 --a------ C:\ScanSectorLog.dat
2008-04-01 12:33 . 2008-04-12 18:19 1,677,344 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-01 12:33 . 2008-04-12 18:05 24,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-01 12:27 . 2008-04-01 12:27 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-01 12:26 . 2008-04-12 18:00 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-29 17:18 . 2008-04-01 12:21 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-29 16:39 . 2008-03-29 16:39 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-03-27 22:36 . 2008-03-27 22:36 <DIR> d-------- C:\WINDOWS\Sun
2008-03-24 13:04 . 2008-03-24 13:04 <DIR> d-------- C:\Documents and Settings\Owen\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 17:20 --------- d-----w C:\Documents and Settings\Bernie\Application Data\OpenOffice.org2
2008-04-11 15:12 --------- d-----w C:\Documents and Settings\Jonny\Application Data\OpenOffice.org2
2008-04-03 18:30 --------- d-----w C:\Program Files\BitComet
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\sarah\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Owen\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Jonny\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Felicity\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Bernie\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-27 22:11 --------- d-----w C:\Documents and Settings\Bernie\Application Data\com.zipeg
2008-03-27 15:20 --------- d-----w C:\Documents and Settings\Bernie\Application Data\Apple Computer
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-02-13 19:38 --------- d-----w C:\Program Files\SoftwarePile.com
2008-02-13 19:33 --------- d-----w C:\Documents and Settings\Bernie\Application Data\NCH Swift Sound
2008-02-13 13:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{772E44A8-9FA8-487C-BDB3-757AB75A10DA}]
C:\WINDOWS\system32\opnkhfDT.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB4FFF74-07E0-415B-AD73-25EDAE95C85B}]
C:\WINDOWS\system32\xxyyxusq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-08 17:56 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51 131072]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"CARPService"="carpserv.exe" [2003-05-21 16:35 4608 C:\WINDOWS\system32\carpserv.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 17:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"BM8b10d1cb"="C:\WINDOWS\system32\ogcrppaq.dll" [ ]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]
"8823e257"="C:\WINDOWS\system32\abxdwjrm.dll" [ ]

C:\Documents and Settings\Jonny\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]

C:\Documents and Settings\Bernie\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqOGXOe]
ssqOGXOe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Team17\\Worms World Party\\wwp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23134:TCP"= 23134:TCP:BitComet 23134 TCP
"23134:UDP"= 23134:UDP:BitComet 23134 UDP

S3 WLAN(WLAN);802.11g USB 2.0 WLAN Dongle(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-08-10 06:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d33f3641-9f44-11dc-8b58-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 17:29:59 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-12 17:09:38 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 18:20:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-12 18:22:10 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 17:21:59
Pre-Run: 109,575,049,216 bytes free
Post-Run: 109,516,812,288 bytes free
.
2008-04-06 15:57:03 --- E O F ---

CHEERS

#6 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 12 April 2008 - 11:58 AM

Hi

After Combofix reboots, by the time Windows has begun, all the work is done and it prepares a report after that. So dont worry about that.

We now suggest that you install the Windows Recovery Console. The Windows recovery console will allow you to boot up into a special recovery mode that allows us to help you in the case that your computer has a problem after an attempted removal of malware.

Go to Microsoft's website => http://support.microsoft.com/kb/310994
Select the download that's appropriate for your Operating System, which in your case is SP2

XP Media Centre is based upon XP Professional

Posted Image

Download the file & save it as it's originally named, next to ComboFix.exe.

Posted Image

Now close all open windows and programs, then drag the setup package onto ComboFix.exe and drop it. Follow the prompts to start ComboFix and when prompted, agree to the End-User License Agreement to install the Microsoft Recovery Console. When complete, a log named CF_RC.txt will open. Please post the contents of that log.

Please do not reboot your machine until we have reviewed the log.

You too could train to help others- Join the Classroom

#7 bernie83

New Member

New Member
8 posts

Posted 12 April 2008 - 12:05 PM

hi, here it is... WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe [boot loader] timeout=2 default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS [operating systems] multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

#8 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 12 April 2008 - 12:21 PM

Hi

Remember to disconnect from the Internet before carrying out the next instruction, and to save the following script before you do.

Open Notepad - it must be Notepad, not Wordpad.
Copy the text below in the code box by highlighting all the text with your mouse and pressing Ctrl+C

KillAll::
 
File::
C:\WINDOWS\system32\ugyodoma.exe
C:\WINDOWS\system32\gybymtoh.exe

Folder::
C:\Program Files\Enigma Software Group

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{772E44A8-9FA8-487C-BDB3-757AB75A10DA}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CB4FFF74-07E0-415B-AD73-25EDAE95C85B}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM8b10d1cb"=-
"8823e257"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqOGXOe]

Go to the Notepad window and click Edit > Paste
Then click File > Save
Name the file "CFScript.txt" (including the quotes)
Save the file to your Desktop

Posted Image

Refering to the picture above, drag CFScript into ComboFix.exe

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
- Scan using the following Anti-Virus database:
  
  + Extended(If available otherwise Standard)
- Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

With the exception of Internet Explorer, which is needed for the Kaspersky Scan, keep ALL programs closed until the scan is complete. This includes your anti-virus. Once you have installed the Scanner, and the updated definitions, you can disconnect from the Internet.Re-enable the anti-virus before reconnecting to the Internet.

In your next reply post:
ComboFix.txt
Kaspersky report
New HijackThis log taken after the above scan has run

Edited by Scotty, 12 April 2008 - 12:22 PM.

You too could train to help others- Join the Classroom

#9 bernie83

New Member

New Member
8 posts

Posted 12 April 2008 - 03:35 PM

ok, here are the three reports.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:31, on 2008-04-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196432714629
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7406 bytes

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, April 12, 2008 10:29:25 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 12/04/2008
Kaspersky Anti-Virus database records: 700383
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\
H:\
I:\
J:\

Scan Statistics:
Total number of scanned objects: 75773
Number of viruses found: 0
Number of infected objects: 0
Number of suspicious objects: 0
Duration of the scan process: 00:51:57

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Windows Defender\Support\MPLog-11302007-172635.log Object is locked skipped
C:\Documents and Settings\Bernie\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Bernie\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Bernie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Bernie\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Bernie\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bernie\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped
C:\Documents and Settings\Bernie\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Bernie\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Bernie\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Bernie\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Bernie\UserData\index.dat Object is locked skipped
C:\Documents and Settings\David\Application Data\Adobe\Acrobat\WHAPI\CreatePDFWinColor.ico Object is locked skipped
C:\Documents and Settings\David\Application Data\Adobe\Acrobat\WHAPI\CreatePDFWinGray.ico Object is locked skipped
C:\Documents and Settings\David\Application Data\Adobe\Acrobat\WHAPI\WHAppList.xml Object is locked skipped
C:\Documents and Settings\David\Application Data\Apple Computer\iTunes\CD Info.cidb Object is locked skipped
C:\Documents and Settings\David\Application Data\Apple Computer\iTunes\iTunesPrefs.xml Object is locked skipped
C:\Documents and Settings\David\Application Data\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Application Data\Google\Local Search History\google%2Eweb.w Object is locked skipped
C:\Documents and Settings\David\Application Data\Macromedia\Flash Player\#SharedObjects\H5LTHWMZ\atdmt.com\ft1346-4.sol Object is locked skipped
C:\Documents and Settings\David\Application Data\Macromedia\Flash Player\#SharedObjects\H5LTHWMZ\www.vplayer.premiumtv.co.uk\ptvFlash\virgin\v_player.swf\Lightningcast.sol Object is locked skipped
C:\Documents and Settings\David\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#atdmt.com\settings.sol Object is locked skipped
C:\Documents and Settings\David\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.vplayer.premiumtv.co.uk\settings.sol Object is locked skipped
C:\Documents and Settings\David\Application Data\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol Object is locked skipped
C:\Documents and Settings\David\Application Data\MailFrontier\addrbk\all\emailaddr.xml Object is locked skipped
C:\Documents and Settings\David\Application Data\MailFrontier\buddyUI.xml Object is locked skipped
C:\Documents and Settings\David\Application Data\MailFrontier\logger\all\20080401.txt Object is locked skipped
C:\Documents and Settings\David\Application Data\MailFrontier\logger\all\20080405.txt Object is locked skipped
C:\Documents and Settings\David\Application Data\MailFrontier\otlog\all\20080401.log Object is locked skipped
C:\Documents and Settings\David\Application Data\MailFrontier\otlog\all\20080405.log Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Address Book\David.wab Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Address Book\David.wab~ Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\HTML Help\hh.dat Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Desktop.htt Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Microsoft Office Outlook.lnk Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\Quick Launch\Spybot - Search & Destroy.lnk Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Internet Explorer\UserData\index.dat Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\MMC\dfrg Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Excel11.pip Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\MSO2057.acl Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\MSOut11.pip Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\0ZDCT6HK.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\5Y2TSX55.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\8F2XLKVR.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Analysis GP Access Survey 0607 Opening Hours Graph 1 NC[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Appendix A Analysis GP Access Survey 200607 NC[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\BALINT flyer[1] 27.12.07[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\community matron 7.3.08[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Consortia Dec07[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\DARZI REPORT[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\David's documents.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\forms on www.pdptoolkit.co.uk.url Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\IMBSOD2H.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\index.dat Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Induction F2 APRIL 08[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Letter to EPP trustees1 27 03 08.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Letter to EPP trustees2 27 03 08.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\NHS Pensions Sarah 06 03 2008.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\NHS Pensions Sarah 06.03.2008.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Norfolk PCT New Anti Coag spec Revised Mar 08[2].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\OI99MI04.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\OLK1C.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\PA1U8SAM.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Q066A0QB.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Re Remortgage application.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\RNNTOIN8.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Templates.LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\Toallgpstoolkit[1].LNK Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Recent\word files on www.pdptoolkit.co.uk.url Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Word11.pip Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Office\Wordma11.pip Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Outlook\Outlook.xml Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Proof\CUSTOM.DIC Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Protect\S-1-5-21-1078081533-1715567821-725345543-1005\5d40e5d2-1c82-4391-9eea-e43f9be729e5 Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Protect\S-1-5-21-1078081533-1715567821-725345543-1005\e12177d5-0361-404c-a838-5ab08f3d8c5e Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Protect\S-1-5-21-1078081533-1715567821-725345543-1005\Preferred Object is locked skipped
C:\Documents and Settings\David\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped
C:\Documents and Settings\David\Cookies\david@forums.whatthetech[2].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@google.co[1].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@google[1].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@intellitxt[1].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@on10[1].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@quantserve[2].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@r.sharethis[1].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@whatthetech[1].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\david@www.whatthetech[1].txt Object is locked skipped
C:\Documents and Settings\David\Cookies\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\David\Desktop\ATF-Cleaner.exe Object is locked skipped
C:\Documents and Settings\David\Desktop\E-mail.lnk Object is locked skipped
C:\Documents and Settings\David\Desktop\Internet.lnk Object is locked skipped
C:\Documents and Settings\David\Desktop\iTunes.lnk Object is locked skipped
C:\Documents and Settings\David\Desktop\Microsoft Office Word 2003 (2).lnk Object is locked skipped
C:\Documents and Settings\David\Desktop\Sign-in.url Object is locked skipped
C:\Documents and Settings\David\Desktop\spybotsd152.exe Object is locked skipped
C:\Documents and Settings\David\Desktop\Unused Desktop Shortcuts\QuickTime Player.lnk Object is locked skipped
C:\Documents and Settings\David\Desktop\Unused Desktop Shortcuts\Switch.lnk Object is locked skipped
C:\Documents and Settings\David\Desktop\Unused Desktop Shortcuts\WavePad.lnk Object is locked skipped
C:\Documents and Settings\David\Favorites\Barclays Online Banking - Welcome to Barclays Online Banking.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Desktop.ini Object is locked skipped
C:\Documents and Settings\David\Favorites\Links\Customize Links.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Links\Free Hotmail.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Links\Windows Marketplace.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Links\Windows Media.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Links\Windows.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Microsoft Websites\IE Add-on site.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Microsoft Websites\IE site on Microsoft.com.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Microsoft Websites\Marketplace.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Microsoft Websites\Microsoft At Home.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Microsoft Websites\Microsoft At Work.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Microsoft Websites\Welcome to IE7.url Object is locked skipped
C:\Documents and Settings\David\Favorites\MSN.com.url Object is locked skipped
C:\Documents and Settings\David\Favorites\Radio Station Guide.url Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Apple Computer\iTunes\iPodDevices.xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Apple Computer\iTunes\iTunesPrefs.xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Apple Computer\QuickTime\QuickTime.qtp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\GDIPFONTCACHEV1.DAT Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\IconCache.db Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{FFF9E8E6-E108-49FB-A4C6-4A2909DB58AE}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{FFF9E8E6-E108-49FB-A4C6-4A2909DB58AE}\Microsoft\Outlook Express\Inbox.dbx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Identities\{FFF9E8E6-E108-49FB-A4C6-4A2909DB58AE}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Home~.feed-ms Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds\Microsoft Feeds~\Microsoft at Work~.feed-ms Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\TV6GV206\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\TV6GV206\fwlink[1] Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\UCX746MO\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\YHF47RU3\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\YSR4Q6H9\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Feeds Cache\YSR4Q6H9\fwlink[1] Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\FORMS\FRMCACHE.DAT Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.bak Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Internet Explorer\brndlog.txt Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Internet Explorer\MSIMGSIZ.DAT Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\OFFICE\ONetConfig\aeb906651e5c53d1cc2d0f94b2050e09.sig Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\OFFICE\ONetConfig\aeb906651e5c53d1cc2d0f94b2050e09.xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\archive.pst Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Outlook\Outlook.pst Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{05533775-5599-4DC5-A2B9-B3A06233C60F} Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Defender\FileTracker\{E0796D53-41D6-4B5E-A46B-A273AA8A425F} Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNS.DTD Object is locked skipped
C:\Documents and Settings\David\Local Settings\Application Data\Microsoft\Windows Media\11.0\WMSDKNS.XML Object is locked skipped
C:\Documents and Settings\David\Local Settings\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\History\History.IE5\MSHist012008041220080413\index.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ads[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\al[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\av-6547[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\bt_what_off[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\CategIco[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\closelabel[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\close[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\css_28[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\css_img_quote[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\door[1].jsp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\door[2].jsp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\f_closed[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\f_hot[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\f_moved[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\gender_mystery[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\getcss[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\hijackthis_startuplist_log[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\iframe[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ipb_forum[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ipb_topic[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ips_menu[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ips_xmlhttprequest[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\logostrip_right[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\logo[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\magnolia[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\micro[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\newpost[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\newsvine[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\photo-thumb-6547[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\playerOverlay[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\p_up[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\rating_5_mini[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ScriptResource[1].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ScriptResource[2].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\ScriptResource[3].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\search[1].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\search[2].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\search[2].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\search[3].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\send_pm_small[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\share-icon-16x16[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\share-this[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\share-this[2].php Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\sma3[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\spacer[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\stumbleupon[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\style[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\tb_r[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\t_reply[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\utm[1].ashx Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\WebResource[1].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\9LWRS6M4\whatthetech_com[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ads[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ads[2].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\al[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ask[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\attachicon[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\background[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\bt_close_off[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\CF_Cleanup[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\Default[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\delicious[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\exp_minus[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\exp_plus[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ExtraIco[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\favicon[1].ico Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\find_posts[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\func_200804021758[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\furl[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\f_hot_no[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\gender_male[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\HJT_Start[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ipb_global_xmlenhanced[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ips_ipsclass[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ips_menu_html[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ips_text_editor_lite[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\logo_va[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\look[1].jsp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\menu_action_down[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\nav[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\pip[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\PostComLeft[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\pp-blank-thumb[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\prototype[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\p_mq_add[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\rating_0_mini[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\save_hijackthis[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\scriptaculous[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ScriptResource[1].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ScriptResource[2].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\ScriptResource[3].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\search[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\search[1].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\search[2].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\search[3].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\SRBkg[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\stats[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\TC-Staff[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\tile_back[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\topbuttons[1].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\t_new[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\urchin[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\user[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\WebPromptDirect-B[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\SOWKJRUT\WebPromptDirect[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\abg-en-100c-000000[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\ads[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\ads[2].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\al[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\al[2].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\al[3].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\al[4].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\av-12002[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\av-15276[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\bf_new[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\blank[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\bt_lm[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\bt_lm[2].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\css_pp_header[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\dom-drag[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\effects[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\facebook[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\favicon[1].ico Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\f_norm[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\f_poll[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\gender_female[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\google_co_uk[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\hijackthis_startuplist[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\icon7[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\ielte7[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\image-thumb[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\ipb_global[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\lang_javascript[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\lightbox[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\menu_item[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\ms_fc[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\mvp_host[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\nav_logo3[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\playerheader[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\PostComRight[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\p_quote[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\reddit[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\row2[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\rss[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\screencast[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\ScriptResource[1].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\ScriptResource[2].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\search[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\search[1].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\search[2].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\search[3].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\sma[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\tailrank[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\tb_l[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\tile_sub[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\t_closed[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\unite_blue[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\wpcf_style[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\X6UYJP8M\__utm[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\37ffe8b8-de84-4afa-b2c7-ad13a77966d4[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\admin[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\ads[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\al[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\al[2].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\av-73164[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\bc_new[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\bkg_gls_lt[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\blinklist[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\Combo-Do[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\css_rte[1].css Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\digg[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\door[1].jsp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\door[2].jsp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\favicon[1].ico Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\friend_add_small[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\front[1].asp Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\f_norm_no[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\f_pinned[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\f_poll_no[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\hijackthis[1].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\icon11[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\image-thumb1[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\lamp-and-mates-01[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\lastpost[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\lightbox[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\loading[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\loading_anim[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\login-button[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\nav_m[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\pages_icon[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\player_noSL[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\pop_tile[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\prototype[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\quant[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\ScriptResource[1].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\ScriptResource[2].axd Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\searching[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\search[1].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\search[2].htm Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\search[2].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\search[3].xml Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\send-more-info1[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\show_ads[1].js Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\sh_305x200[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\spacer[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\SRLBkg[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\SRRBkg[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\TC-Expert[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\tile_cat[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\to_post_off[1].gif Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\user-offline[1].png Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\Content.IE5\Y7UZ1PWM\windowslivewriterwindowsvistasp1whatshouldyouexpect-c28dsp1-3[1].jpg Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\CVG5LYBO\TWSUDA49\Offline\0x00000001_R Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\CVG5LYBO\TWSUDA49\Offline\0x00000003_R Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\CVG5LYBO\TWSUDA49\Offline\HashFile.dat Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Local Settings\Temporary Internet Files\OLK1C\_AVG certification_.txt Object is locked skipped
C:\Documents and Settings\David\NetHood\My Web Sites on MSN\Desktop.ini Object is locked skipped
C:\Documents and Settings\David\NetHood\My Web Sites on MSN\target.lnk Object is locked skipped
C:\Documents and Settings\David\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\David\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\David\ntuser.ini Object is locked skipped
C:\Documents and Settings\David\Recent\appraisal pdp 08.lnk Object is locked skipped
C:\Documents and Settings\David\Recent\appraisal summary discussion 08.lnk Object is locked skipped
C:\Documents and Settings\David\Recent\Desktop.ini Object is locked skipped
C:\Documents and Settings\David\Recent\NHS Pensions Sarah 06.03.2008.lnk Object is locked skipped
C:\Documents and Settings\David\Recent\Re Remortgage application.lnk Object is locked skipped
C:\Documents and Settings\David\Recent\rent SDLT and other issues.lnk Object is locked skipped
C:\Documents and Settings\David\SendTo\Bluetooth File Transfer Wizard.LNK Object is locked skipped
C:\Documents and Settings\David\SendTo\Compressed (zipped) Folder.ZFSendToTarget Object is locked skipped
C:\Documents and Settings\David\SendTo\Desktop (create shortcut).DeskLink Object is locked skipped
C:\Documents and Settings\David\SendTo\desktop.ini Object is locked skipped
C:\Documents and Settings\David\SendTo\Mail Recipient.MAPIMail Object is locked skipped
C:\Documents and Settings\David\SendTo\My Documents.mydocs Object is locked skipped
C:\Documents and Settings\David\Start Menu\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Accessibility\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Accessibility\Magnifier.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Accessibility\Narrator.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Accessibility\On-Screen Keyboard.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Accessibility\Utility Manager.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Address Book.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Command Prompt.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Entertainment\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Notepad.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Program Compatibility Wizard.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Synchronize.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\System Tools\Internet Explorer (No Add-ons).lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Tour Windows XP.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Accessories\Windows Explorer.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Administrative Tools\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Internet Explorer.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Outlook Express.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Remote Assistance.lnk Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Startup\desktop.ini Object is locked skipped
C:\Documents and Settings\David\Start Menu\Programs\Windows Media Player.lnk Object is locked skipped
C:\Documents and Settings\David\Templates\amipro.sam Object is locked skipped
C:\Documents and Settings\David\Templates\excel.xls Object is locked skipped
C:\Documents and Settings\David\Templates\excel4.xls Object is locked skipped
C:\Documents and Settings\David\Templates\lotus.wk4 Object is locked skipped
C:\Documents and Settings\David\Templates\powerpnt.ppt Object is locked skipped
C:\Documents and Settings\David\Templates\presenta.shw Object is locked skipped
C:\Documents and Settings\David\Templates\quattro.wb2 Object is locked skipped
C:\Documents and Settings\David\Templates\sndrec.wav Object is locked skipped
C:\Documents and Settings\David\Templates\winword.doc Object is locked skipped
C:\Documents and Settings\David\Templates\winword2.doc Object is locked skipped
C:\Documents and Settings\David\Templates\wordpfct.wpd Object is locked skipped
C:\Documents and Settings\David\Templates\wordpfct.wpg Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Diamond 1200Plus\Driver\Ap.exe Object is locked skipped
C:\Program Files\Diamond 1200Plus\Driver\Ap.ini Object is locked skipped
C:\Program Files\Diamond 1200Plus\Driver\INSTALL.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{FEA62085-5810-485F-BF42-976F7980C35A}\RP4\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\Prefetch\layout.ini Object is locked skipped
C:\WINDOWS\S02D2B93E.tmp Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{D35D7CA7-9F58-4A0A-B914-9FD63B94E130}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\LogFiles\WUDF\WUDFTrace.etl Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
H:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

ComboFix 08-04-11.8 - Bernie 2008-04-12 19:41:36.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.190 [GMT 1:00]
Running from: C:\Documents and Settings\Bernie\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Bernie\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\WINDOWS\system32\gybymtoh.exe
C:\WINDOWS\system32\ugyodoma.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Enigma Software Group
C:\Program Files\Enigma Software Group\SpyHunter\AXList.txt
C:\Program Files\Enigma Software Group\SpyHunter\key.dat
C:\Program Files\Enigma Software Group\SpyHunter\scan.log
C:\Program Files\Enigma Software Group\SpyHunter\spyhunter.log
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunterInstance.lock
C:\Program Files\Enigma Software Group\SpyHunter\support.log
C:\WINDOWS\system32\gybymtoh.exe
C:\WINDOWS\system32\ugyodoma.exe

.
((((((((((((((((((((((((( Files Created from 2008-03-12 to 2008-04-12 )))))))))))))))))))))))))))))))
.

2008-04-12 14:45 . 2008-04-12 14:45 <DIR> d-------- C:\Program Files\Trend Micro
2008-04-10 23:36 . 2008-04-10 23:37 153 --a------ C:\WINDOWS\wininit.ini
2008-04-10 22:56 . 2008-04-10 22:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-10 22:56 . 2008-04-12 13:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-05 23:59 . 2008-04-05 23:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2008-04-03 12:57 . 2008-04-03 12:57 <DIR> d-------- C:\Documents and Settings\Jonny\Application Data\MailFrontier
2008-04-01 22:37 . 2008-04-12 18:58 <DIR> d-------- C:\Documents and Settings\Bernie\Application Data\MailFrontier
2008-04-01 18:47 . 2008-04-01 18:47 <DIR> d-------- C:\Documents and Settings\Owen\Application Data\MailFrontier
2008-04-01 13:42 . 2008-04-12 17:58 959 --a------ C:\rollback.ini
2008-04-01 12:44 . 2008-04-03 19:08 512 --a------ C:\ScanSectorLog.dat
2008-04-01 12:33 . 2008-04-12 19:44 1,775,904 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-04-01 12:33 . 2008-04-12 19:42 25,856 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-04-01 12:27 . 2008-04-01 12:27 <DIR> d-------- C:\Program Files\Zone Labs
2008-04-01 12:26 . 2008-04-12 18:00 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-29 17:18 . 2008-04-01 12:21 <DIR> d-------- C:\Program Files\a-squared Free
2008-03-27 22:36 . 2008-03-27 22:36 <DIR> d-------- C:\WINDOWS\Sun
2008-03-24 13:04 . 2008-03-24 13:04 <DIR> d-------- C:\Documents and Settings\Owen\Application Data\vlc

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-12 18:44 --------- d-----w C:\Documents and Settings\Bernie\Application Data\OpenOffice.org2
2008-04-11 15:12 --------- d-----w C:\Documents and Settings\Jonny\Application Data\OpenOffice.org2
2008-04-03 18:30 --------- d-----w C:\Program Files\BitComet
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\sarah\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Owen\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Jonny\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Felicity\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\Bernie\Application Data\AVG7
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\Grisoft
2008-04-01 11:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\avg7
2008-03-27 22:11 --------- d-----w C:\Documents and Settings\Bernie\Application Data\com.zipeg
2008-03-27 15:20 --------- d-----w C:\Documents and Settings\Bernie\Application Data\Apple Computer
2008-03-13 22:11 75,248 ----a-w C:\WINDOWS\zllsputility.exe
2008-02-13 19:38 --------- d-----w C:\Program Files\SoftwarePile.com
2008-02-13 19:33 --------- d-----w C:\Documents and Settings\Bernie\Application Data\NCH Swift Sound
2008-02-13 13:23 --------- d--h--w C:\Program Files\InstallShield Installation Information
.

((((((((((((((((((((((((((((( snapshot@2008-04-12_18.21.22.04 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-04-12 17:06:51 76,424 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
+ 2008-04-12 18:44:01 77,208 ----a-w C:\WINDOWS\system32\ZoneLabs\avsys\bases\sfdb.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 01:56 15360]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-08 17:56 171448]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-06-03 21:51 131072]
"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 01:56 110592 C:\WINDOWS\system32\bthprops.cpl]
"CARPService"="carpserv.exe" [2003-05-21 16:35 4608 C:\WINDOWS\system32\carpserv.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 18:14 8491008]
"nwiz"="nwiz.exe" [2007-10-04 18:14 1626112 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-10-04 18:14 81920]
"SoundMan"="SOUNDMAN.EXE" [2004-02-26 17:53 65024 C:\WINDOWS\SOUNDMAN.EXE]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 20:20 866584]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 02:11 132496]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 12:50 155648]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2008-01-10 16:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 04:22 267048]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2008-03-13 23:11 919016]

C:\Documents and Settings\Jonny\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]

C:\Documents and Settings\Bernie\Start Menu\Programs\Startup\
OpenOffice.org 2.3.lnk - C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe [2007-08-17 23:57:56 393216]

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\BitComet\\BitComet.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Team17\\Worms World Party\\wwp.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"23134:TCP"= 23134:TCP:BitComet 23134 TCP
"23134:UDP"= 23134:UDP:BitComet 23134 UDP

S3 WLAN(WLAN);802.11g USB 2.0 WLAN Dongle(WLAN);C:\WINDOWS\system32\DRIVERS\zd1211u.sys [2004-08-10 06:31]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d33f3641-9f44-11dc-8b58-806d6172696f}]
\Shell\AutoRun\command - D:\autorun.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-30 17:29:59 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2008-04-12 18:00:10 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
.
**************************************************************************

catchme 0.3.1351 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-04-12 19:45:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\avsys\ScanningProcess.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTSVCCDA.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.bin
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-04-12 19:47:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-04-12 18:46:50
ComboFix2.txt 2008-04-12 17:22:11
Pre-Run: 109,388,558,336 bytes free
Post-Run: 109,372,334,080 bytes free
.
2008-04-06 15:57:03 --- E O F ---

CHEERS

#10 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 12 April 2008 - 03:41 PM

Hi

Just one more thing to do.

Please download Malwarebytes' Anti-Malware to your desktop.

Double-click mbam-setup.exe and follow the prompts to install the program.
At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select Perform full scan, then click Scan.
When the scan is complete, click OK, then Show Results to view the results.
Be sure that everything is checked, and click Remove Selected.
When completed, a log will open in Notepad. Please save it to a convenient location.
The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
Post that log back here.

You too could train to help others- Join the Classroom

Advertisements

Register to Remove

#11 bernie83

New Member

New Member
8 posts

Posted 12 April 2008 - 05:16 PM

Hi, here's the log... One thing though, the link that you provided me with appears to be a bad one. when i tried downloading from that link, it is a false download, and zone alarm popped up with a message of a virus called: not-a-virus:Downloader.Win32.winfixer.fx I actually tried this link twice because i couldn't work out what was going on with it. I hope this hasn't ruined everything done so far... Malwarebytes' Anti-Malware 1.11 Database version: 619 Scan type: Full Scan (C:\|H:\|) Objects scanned: 114314 Time elapsed: 46 minute(s), 24 second(s) Memory Processes Infected: 0 Memory Modules Infected: 0 Registry Keys Infected: 1 Registry Values Infected: 0 Registry Data Items Infected: 0 Folders Infected: 0 Files Infected: 0 Memory Processes Infected: (No malicious items detected) Memory Modules Infected: (No malicious items detected) Registry Keys Infected: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully. Registry Values Infected: (No malicious items detected) Registry Data Items Infected: (No malicious items detected) Folders Infected: (No malicious items detected) Files Infected: (No malicious items detected) THANK YOU

#12 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 12 April 2008 - 05:58 PM

Hello It's a false positive. Id never send you to a bad link.

Okay, just post one more HijackThis log and well start cleaning up. Ill try and stay awake a bit longer so we can finish up tonight.

You too could train to help others- Join the Classroom

#13 bernie83

New Member

New Member
8 posts

Posted 12 April 2008 - 06:20 PM

alright, here she be...

don't worry if you can't be bothered tonight. so grateful for your help anyway, and i'm sure it can wait til tomorrow.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 01:19, on 2008-04-13
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\CTsvcCDA.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\carpserv.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.exe
C:\Program Files\OpenOffice.org 2.3\program\soffice.BIN
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://windowsupdate.microsoft.com/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [NvMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [CARPService] carpserv.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Startup: OpenOffice.org 2.3.lnk = C:\Program Files\OpenOffice.org 2.3\program\quickstart.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BitComet - {D18A0B52-D63C-4ed0-AFC6-C1E3DC1AF43A} - res://C:\Program Files\BitComet\tools\BitCometBHO_1.1.11.30.dll/206 (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.mi...b?1196432714629
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative....15033/CTPID.cab
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 7495 bytes

#14 Scotty

Always Happy

Authentic Member
3,634 posts

Posted 13 April 2008 - 04:55 AM

Hi

My tiredness won.

Congratulations, you appear to be malware free. :woot:

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the x and the /u, it needs to be there.

You may wish to keep hold of the Kaspersky Online Scan as an extra on-demand virus-scanner.
If not you can uninstall it through Start>Control Panel>Add/Remove Programs

Delete the older versions of Java and download the newest.
Please follow these steps to remove older version Java components.

Close any programmes you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE or J2SE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Then download the latest version of Java Runtime Environment (JRE) (4th one down the list), which is JRE6u5, and click Yes at the page warning. Under "Platform" select Windows, then check the box to accept the Licence Agreement. Click Yes at the second page warning before downloading the Offline file.

Malwarebytes Anti-Malware is a good program to keep. If you wish to keep it, use it to do a quick scan once a week and keep it updated.
Remember, only the paid for version offers real-time protection

Here is another free program I recommend.

Install WinPatrol
Download it from here
Here you can find information about how WinPatrol works here

Make sure your Windows is ALWAYS up to date!

An unpatched Windows is vulnerable and even with the "best" Antivirus and Firewall installed, malware will find its way through.
So visit http://windowsupdate.microsoft.com/ to download and install the latest updates.

Update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?"

Here is some great information from experts in this field that will help you stay clean and safe online.
http://forum.malware...wtopic.php?t=14

Follow this list and your potential for being infected again will reduce dramatically.

I'd be grateful if you could reply to this post so that I know you have read it and, if you've no other questions, the thread can be closed.

You too could train to help others- Join the Classroom

#15 bernie83

New Member

New Member
8 posts

Posted 13 April 2008 - 12:02 PM

Hi, thankyou so much for your help, computer seems fine now... What do you suggest i should run now in the way of security applications? I currently now have Winpatrol, Malwarebytes, and Zone Alarm, as well as Windows Defender. Will these run ok together, or should i be more selective? Thanks again.

Body Background

skin color theme