Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Something Wrong I Think


  • This topic is locked This topic is locked
18 replies to this topic

#1 annabackwards

annabackwards

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 17 August 2007 - 03:17 AM

I found 3 backdoor.trojans on my computer today and i healed all of them. They all seemed to be from www.photoalbums.com
Then Comodo detected microsoft intellipointpro loading some .dll in msn messenger and trying to use OLE automation to access the net. I denied it, and all seems okay now but just wanted to make sure.

I went over it myself, and i'm pretty sure O4 - HKLM\..\Run: [Microsoft Visual Application] vpcrtf.exe isn't good.
Here's the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:51:43 PM, on 17/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\a-squared Free\a2service.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [Microsoft Visual Application] vpcrtf.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://annabackwards.spaces.live.com//Phot...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7544 bytes
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:56 PM

Posted 25 August 2007 - 08:20 AM

Hello annabackwards :thumbsup:

You're right, it is not good.

Please disable SpywareGuard.
Double-click the red SG icon in your system tray.
Click Options.
Under General, uncheck all 3 options, then click "Save Settings"
Close SpywareGuard.
You can enable it once we're finished.

=====

Please run a scan with HijackThis and check the following objects for removal:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O4 - HKLM\..\Run: [Microsoft Visual Application] vpcrtf.exe


Close ALL other open windows but HijackThis and hit FIX CHECKED. Exit HijackThis.

====

Go to My Computer >Tools >Folder Options >View tab and make sure that Show hidden files and folders is enabled. Also make sure that the System Files and Folders are showing / visible. Uncheck the Hide protected operating system files - option.

Then, please navigate to and delete the following files if found:

C:\WINDOWS\vpcrtf.exe
C:\WINDOWS\img807.zip


Rehide hidden files & empty recycle bin.

====

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
  • Close all other windows before proceeding.
  • Double-click on dss.exe and follow the prompts.
  • When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply. :flowers:

Hi there, stranger!

#3 annabackwards

annabackwards
  • Topic Starter

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 26 August 2007 - 05:44 AM

Here's an update about the happenings of my computer:
After a while after being on the net, Comodo popups with userinit.exe being the parent of explorer.exe, which is trying to access the net. I can deny this requests without any side affects (as far as i can tell)

Before this happened, explorer.exe was the parent and the application was either firefox.exe, iexplorer.exe or wmplayer.exe. I'm almost certain this isn't supposed to happen.

If its trying to access the net via a browser, it always uses port DNS(53), so if i deny it i cant access the net :flowers:

I also cannot use MSN live messenger. Everytime i try to open it, an error message comes up saying:
This application has failed to start because the application configuration is incorrect. Reinstalling the application may fix this problem. msn messenger

All i can do is click ok.

I've tried unistalling it and then reinstalling it about a gazillion times, but the same thing happens.

I then tried to use system restore, but that didn't work.
It would get to the part where windows is shutting down, with the system restore point window there.
It would restore about 1/6 of the bar, stay at the same point for a while, then quickly finishes.
It restarts, i log in. And then it says it couldn't restore my system :thumbsup:

Pain!!!!! I want to use live. Also, i couldn't find those files. Is that a good thing?

Oh wells, enough of me ranting, heres what DSS gave me.

Main.txt:
Deckard's System Scanner v20070819.64
Run by annA on 2007-08-26 20:28:53
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
36: 2007-08-26 10:29:18 UTC - RP157 - Deckard's System Scanner Restore Point
35: 2007-08-26 10:02:06 UTC - RP156 - Installed Windows Live Sign-in Assistant
34: 2007-08-26 10:01:15 UTC - RP155 - Installed Windows Live Messenger
33: 2007-08-26 09:57:23 UTC - RP154 - Removed Windows Live Messenger
32: 2007-08-26 09:56:59 UTC - RP153 - Removed Windows Live Sign-in Assistant


-- First Restore Point --
1: 2007-08-20 06:30:33 UTC - RP122 - Removed Windows Live Sign-in Assistant


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 447 MiB (512 MiB recommended).


-- HijackThis (run as annA.exe) ------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:32:02 PM, on 26/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\My Documents\Internet Downloads\dss.exe
C:\PROGRA~1\HJT\annA.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (disabled by BHODemon)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://annabackwards.spaces.live.com//Phot...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 6949 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\HJT\backups\) -------------------------

backup-20070709-111131-163 O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
backup-20070709-111132-534 O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
backup-20070709-111132-999 O20 - Winlogon Notify: winmyy32 - C:\WINDOWS\
backup-20070709-145336-552 R3 - URLSearchHook: (no name) - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - (no file)
backup-20070711-124630-292 O20 - Winlogon Notify: xxywxuu - C:\WINDOWS\SYSTEM32\xxywxuu.dll
backup-20070714-230558-305 R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://login.live.com/ppsecure/sha1auth.srf?lc=3081
backup-20070721-203715-674 O20 - Winlogon Notify: winmyy32 - C:\WINDOWS\
backup-20070722-000323-304 O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20070722-000323-894 O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
backup-20070724-180246-388 O4 - HKLM\..\Run: [DXM6Patch_981116] C:\WINDOWS\p_981116.exe /Q:A
backup-20070804-172113-218 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20070804-172116-828 O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
backup-20070806-211417-303 O2 - BHO: Trend Micro Antifraud Toolbar - {06647158-359E-4D10-A8DE-E6145DA90BE9} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll (file missing)
backup-20070806-211417-938 O3 - Toolbar: Trend Micro Antifraud Toolbar - {871F91FD-3A92-4988-A842-16AB2CFF5AF1} - C:\PROGRA~1\TRENDM~1\INTERN~1\PccIeBar.dll (file missing)
backup-20070825-214740-980 O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
backup-20070826-132341-281 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
backup-20070826-132341-501 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
backup-20070826-132341-676 O4 - HKLM\..\Run: [Microsoft Visual Application] vpcrtf.exe
backup-20070826-132341-833 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 cdrbsdrv - c:\windows\system32\drivers\cdrbsdrv.sys <Not Verified; B.H.A Corporation; B's Recorder GOLD7>
R1 SASDIFSV - c:\program files\superantispyware\sasdifsv.sys
R1 SASKUTIL - c:\program files\superantispyware\saskutil.sys
R2 Sentinel - c:\windows\system32\drivers\sentinel.sys <Not Verified; Rainbow Technologies, Inc.; Sentinel System Driver>

S3 catchme - c:\docume~1\anna~1.ann\locals~1\temp\catchme.sys (file missing)
S3 ctgame (Game Port) - c:\windows\system32\drivers\ctgame.sys (file missing)
S3 FETNDIS (VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver) - c:\windows\system32\drivers\fetnd5.sys (file missing)
S3 GMSIPCI - e:\install\gmsipci.sys (file missing)
S3 oflpydin - c:\documents and settings\mum & dad\local settings\temp\oflpydin.sys
S3 ossrv (Creative OS Services Driver) - c:\windows\system32\drivers\ctoss2k.sys (file missing)
S3 SABProcEnum - c:\program files\mozilla firefox\sabprocenum.sys (file missing)
S3 SASENUM - c:\program files\superantispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 AntiVirScheduler (AntiVir PersonalEdition Classic Scheduler) - "c:\program files\antivir personaledition classic\sched.exe" <Not Verified; Avira GmbH; Scheduler>

S4 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-07-26 and 2007-08-26 -----------------------------

2007-08-26 20:13:16 0 d------c- C:\BackUpMSNCleaner
2007-08-26 20:01:20 0 d------c- C:\Program Files\MSN Messenger
2007-08-26 19:52:53 0 dr-h---c- C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Recent
2007-08-25 16:57:48 0 d------c- C:\Program Files\PCS-639
2007-08-25 15:52:46 45316 --a------ C:\WINDOWS\system32\mssusr.dat
2007-08-25 15:52:46 8 --a------ C:\WINDOWS\system32\msfffff2b7.dll
2007-08-25 15:52:20 221184 --a------ C:\WINDOWS\system32\ipsp.dll <Not Verified; SoftForYou; iProtectYou>
2007-08-25 15:52:19 11264 --a------ C:\WINDOWS\system32\SPORDER.DLL <Not Verified; Microsoft Corporation; Microsoft® Windows NT™ Operating System>
2007-08-21 08:17:45 0 d------c- C:\Documents and Settings\All Users.WINDOWS\Application Data\Messenger Plus!
2007-08-20 21:35:46 0 d------c- C:\Program Files\Windows Live
2007-08-20 20:42:13 0 d------c- C:\Program Files\Messenger Plus! Live
2007-08-20 16:13:20 0 d------c- C:\Program Files\DIFX
2007-08-20 16:00:34 0 d------c- C:\Documents and Settings\All Users.WINDOWS\Application Data\AntiVir PersonalEdition Classic
2007-08-16 19:01:25 0 dr-----c- C:\Documents and Settings\LocalService.NT AUTHORITY.002\My Documents
2007-08-11 22:01:23 10223616 --a------ C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\ntuser.dat
2007-08-05 12:47:15 0 d------c- C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Application Data\GetRightToGo
2007-08-04 20:30:56 0 d------c- C:\Documents and Settings\All Users.WINDOWS\Application Data\BOC424
2007-08-04 19:30:59 0 d------c- C:\Program Files\Java
2007-08-04 19:30:51 0 d------c- C:\Program Files\Common Files\Java
2007-08-04 14:39:04 0 d------c- C:\Program Files\ePrompter
2007-08-04 14:16:32 0 d------c- C:\Program Files\CCleaner
2007-08-04 13:47:20 0 d------c- C:\Program Files\KeyScrambler
2007-08-03 18:07:17 0 d------c- C:\Program Files\a-squared Free
2007-08-03 10:52:35 0 d------c- C:\Documents and Settings\Mum & Dad\Application Data\HouseCall 6.6
2007-08-03 09:45:38 0 d------c- C:\Documents and Settings\Mum & Dad\.housecall6.6
2007-07-29 17:58:15 0 d------c- C:\Program Files\HJTHotkey
2007-07-26 20:03:50 0 d-------- C:\WINDOWS\system32\SuperAdBlocker.com


-- Find3M Report ---------------------------------------------------------------

2007-08-26 20:32:02 0 d------c- C:\Program Files\HJT
2007-08-26 20:13:10 0 d------c- C:\Program Files\UltimateZip
2007-08-25 17:51:36 0 d------c- C:\Program Files\SpywareGuard
2007-08-25 16:59:58 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-25 14:18:25 0 d------c- C:\Program Files\SUPERAntiSpyware
2007-08-25 08:38:18 0 d------c- C:\Program Files\SpywareBlaster
2007-08-23 21:17:16 0 d------c- C:\Program Files\MSECACHE
2007-08-06 21:16:03 0 d------c- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-06 17:37:00 0 d------c- C:\Program Files\Comodo
2007-08-05 13:48:22 0 d-a----c- C:\Program Files\Common Files\Ahead
2007-08-04 19:30:51 0 d-a----c- C:\Program Files\Common Files
2007-08-04 14:25:31 0 d------c- C:\Program Files\Yahoo!
2007-08-04 07:51:29 0 d------c- C:\Program Files\Macrogaming
2007-07-27 18:09:47 2544 --a----c- C:\WINDOWS\mozver.dat
2007-07-22 07:46:48 0 d------c- C:\Program Files\Interplay
2007-07-19 17:36:31 0 d------c- C:\Program Files\Windows Installer Clean Up
2007-07-15 14:41:52 0 d------c- C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Application Data\SUPERAntiSpyware.com
2007-07-14 11:08:37 0 d------c- C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Application Data\Comodo
2007-07-12 20:49:56 0 d------c- C:\Program Files\Vivendi Universal Games
2007-07-12 19:08:06 0 d------c- C:\Program Files\Maxis
2007-07-09 20:33:23 0 d------c- C:\Program Files\Common Files\BiesseGroup
2007-07-09 15:31:41 0 d------c- C:\Program Files\EULAlyzer
2007-07-07 19:48:32 0 d------c- C:\Program Files\XP Codec Pack
2007-07-06 23:49:04 0 d------c- C:\Program Files\Google
2007-07-06 19:32:10 0 d------c- C:\Program Files\Intermac
2007-07-06 19:19:31 0 d------c- C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Application Data\Smart PC Solutions
2007-07-05 19:19:04 2634 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-05 13:48:36 0 d------c- C:\Program Files\SnIco Edit
2007-07-05 13:48:15 0 d------c- C:\Program Files\Movie Maker
2007-07-04 20:49:30 0 d------c- C:\Program Files\messenger
2007-07-04 20:49:29 0 d------c- C:\Program Files\LimeWire
2007-07-04 19:25:47 0 d------c- C:\Program Files\Enigma Software Group
2007-07-04 14:29:19 0 d------c- C:\Program Files\MSXML 4.0
2007-07-03 20:04:51 664 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-07-03 14:54:04 0 d------c- C:\Program Files\Windows NT
2007-07-02 13:25:25 0 d------c- C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Application Data\uTorrent
2007-07-01 17:08:09 0 d------c- C:\Program Files\Incomplete
2007-07-01 16:58:56 0 d------c- C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Application Data\LimeWire
2007-06-29 19:23:33 0 d--h----- C:\Program Files\WindowsUpdate
2007-06-28 20:08:19 23348 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2007-06-24 09:31:02 588 --a----c- C:\WINDOWS\eReg.dat
2007-06-03 11:56:05 0 --a----c- C:\WINDOWS\nsreg.dat


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [16/05/2003 09:45 AM]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [14/06/2007 06:32 PM]
"BOC-424"="C:\PROGRA~1\Comodo\CBOClean\BOC424.exe" [14/06/2007 09:28 AM]
"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [06/08/2007 05:36 PM]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [02/04/2007 10:35 AM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 05:56 PM]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [14/10/2004 02:24 AM]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [19/01/2007 12:54 PM]

C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Start Menu\Programs\Startup\
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 7:05:35 PM]

C:\Documents and Settings\All Users.WINDOWS\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [20/11/2006 8:47:28 AM]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [29/08/2003 7:05:35 PM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoToolbarCustomize"=0 (0x0)
"NoToolbarsOnTaskbar"=0 (0x0)
"NoBandCustomize"=0 (0x0)
"NoMovingBands"=0 (0x0)
"NoCloseDragDropBands"=0 (0x0)
"NoSetTaskbar"=0 (0x0)
"NoSaveSettings"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [20/12/2006 01:55 PM 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 19/04/2007 01:41 PM 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SoundMan"=SOUNDMAN.EXE




-- Hosts -----------------------------------------------------------------------

#
127.0.0.1 ad.a8.net
127.0.0.1 asy.a8ww.net
127.0.0.1 www.aaa-livedoor.net #[Trojan-PSW.Win32.Maran.ei]
127.0.0.1 www.abcsearcher.com #[Spamdexing][Microsoft.Strider]
127.0.0.1 abc-search.info
127.0.0.1 abloga.info #[Spamdexing]
127.0.0.1 www.abx4.com #[Adware.ABXToolbar]
127.0.0.1 www.acezip.net #[Win32/Adware.180Solutions]
127.0.0.1 phpadsnew.abac.com

15582 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-08-26 20:34:00 ------------

Extra.txt:
Deckard's System Scanner v20070819.64
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.60GHz
CPU 1: Intel® Pentium® 4 CPU 2.60GHz
Percentage of Memory in Use: 54%
Physical Memory (total/avail): 446.48 MiB / 204.14 MiB
Pagefile Memory (total/avail): 1153.32 MiB / 903.7 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1957.61 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 37.26 GiB total, 7.05 GiB free.
D: is CDROM (No Media)
E: is CDROM (No Media)


-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is disabled.

AntiVirusDisableNotify is set.
FirewallDisableNotify is set.
UpdatesDisableNotify is set.
AntivirusOverride is set.
FirewallOverride is set.

FW: COMODO Firewall Pro v2.3.035 (COMODO)
AV: Avira AntiVir PersonalEdition v 6.38.0.225
(Avira GmbH) Outdated

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINDOWS
APPDATA=C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=ANNA-1PQCY3C8D7
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\annA.ANNA-1PQCY3C8D7
LOGONSERVER=\\ANNA-1PQCY3C8D7
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\WBEM;;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625;C:\PROGRA~1\COMMON~1\MUVEET~1\030625
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 9, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0209
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ANNA~1.ANN\LOCALS~1\Temp
TMP=C:\DOCUME~1\ANNA~1.ANN\LOCALS~1\Temp
USERDOMAIN=ANNA-1PQCY3C8D7
USERNAME=annA
USERPROFILE=C:\Documents and Settings\annA.ANNA-1PQCY3C8D7
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

annA.ANNA-1PQCY3C8D7 (admin)
Mum & Dad (admin)
Administrator.ANNA-1PQCY3C8D7.000 (new local, admin)


-- Add/Remove Programs ---------------------------------------------------------

a-squared Free 3.0 --> "C:\Program Files\a-squared Free\unins000.exe"
Adobe Acrobat 5.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.isu" -c"C:\Program Files\Common Files\Adobe\Acrobat 5.0\NT\Uninst.dll"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Flash Player Plugin --> C:\WINDOWS\system32\Macromed\Flash\uninstall_plugin.exe
Adobe Photoshop 7.0 --> C:\WINDOWS\ISUNINST.EXE -f"C:\Program Files\Adobe\Photoshop 7.0\Uninst.isu" -c"C:\Program Files\Adobe\Photoshop 7.0\Uninst.dll"
AVG Anti-Rootkit Free --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Free\Uninstall.exe
Avira AntiVir PersonalEdition Classic --> C:\Program Files\AntiVir PersonalEdition Classic\SETUP.EXE /REMOVE
BOClean --> C:\WINDOWS\UNBOC.EXE
Canon MP Drivers --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{58F8C6D9-5B55-486A-A322-4E8D87670031}\Setup.exe" -l0x9 -Uninstall
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
COMODO Firewall Pro --> C:\Program Files\Comodo\Firewall\fwconfig.exe -uninstalln
DVD Shrink 3.2 --> "C:\Program Files\DVD Shrink\unins000.exe"
EULAlyzer v1.2 --> "C:\Program Files\EULAlyzer\unins000.exe"
HijackThis 2.0.2 --> "C:\Program Files\HJT\HijackThis.exe" /uninstall
HJTHotkey 3.056 --> "C:\Program Files\HJTHotkey\unins000.exe"
HouseCall 6.6 --> "C:\Documents and Settings\Mum & Dad\Application Data\HouseCall 6.6\uninstaller.exe"
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
KeyScrambler --> C:\Program Files\KeyScrambler\uninstall.exe
Messenger Plus! Live --> "C:\Program Files\Messenger Plus! Live\Uninstall.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Mozilla Firefox (2.0.0.6) --> C:\Program Files\Mozilla Firefox\uninstall\helper.exe
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
Realtek AC'97 Audio --> Alcrmv.exe -r -m
Sentinel System Driver --> C:\WINDOWS\SYSTEM32\RNBOSENT\SETUPX86.EXE /U /q
Sony USB Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5C29CB8B-AC1E-4114-8D68-9CD080140D4A}\setup.exe" UNINSTALL
Spybot - Search & Destroy --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
SpywareGuard v2.2 --> "C:\Program Files\SpywareGuard\unins000.exe"
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
The Sims Deluxe Edition --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{10798AE3-DCBB-43C3-9C93-C23512427E25}\setup.exe" -l0009
UltimateZip 3.0.3 --> "C:\Program Files\UltimateZip\unins000.exe"
VIA/S3G Display Driver 6.14.10.0297 --> C:\PROGRA~1\S3\UChromeP\s3minset.exe /u UChromeP.uns
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Windows Live Messenger --> MsiExec.exe /I{571700F0-DB9D-4B3A-B03D-35A14BB5939F}
Windows Live Sign-in Assistant --> MsiExec.exe /I{49672EC2-171B-47B4-8CE7-50D7806360D7}
XP Codec Pack --> C:\Program Files\XP Codec Pack\Uninstall.exe


-- Application Event Log -------------------------------------------------------

Event Record #/Type5826 / Error
Event Submitted/Written: 08/26/2007 08:33:16 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Event Record #/Type5825 / Error
Event Submitted/Written: 08/26/2007 08:33:04 PM
Event ID/Source: 3 / crypt32
Event Description:
Failed auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The specified server cannot perform the requested operation.

Event Record #/Type5823 / Error
Event Submitted/Written: 08/26/2007 08:33:04 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.

Event Record #/Type5822 / Error
Event Submitted/Written: 08/26/2007 08:33:00 PM
Event ID/Source: 3 / crypt32
Event Description:
Failed auto update retrieval of third-party root list cab from: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The specified server cannot perform the requested operation.

Event Record #/Type5820 / Error
Event Submitted/Written: 08/26/2007 08:33:00 PM
Event ID/Source: 11 / crypt32
Event Description:
Failed extract of third-party root list from auto update cab at: <http://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab> with error: The data is invalid.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type27382 / Error
Event Submitted/Written: 08/26/2007 08:24:27 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type27381 / Error
Event Submitted/Written: 08/26/2007 08:24:27 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.

Event Record #/Type27380 / Error
Event Submitted/Written: 08/26/2007 08:24:27 PM
Event ID/Source: 59 / SideBySide
Event Description:
Resolve Partial Assembly failed for Microsoft.VC80.CRT.
Reference error message: The referenced assembly is not installed on your system.
.

Event Record #/Type27379 / Error
Event Submitted/Written: 08/26/2007 08:24:27 PM
Event ID/Source: 32 / SideBySide
Event Description:
Dependent Assembly Microsoft.VC80.CRT could not be found and Last Error was The referenced assembly is not installed on your system.

Event Record #/Type27378 / Error
Event Submitted/Written: 08/26/2007 08:24:27 PM
Event ID/Source: 59 / SideBySide
Event Description:
Generate Activation Context failed for C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Shfusion.dll.
Reference error message: The operation completed successfully.
.



-- End of Deckard's System Scanner: finished at 2007-08-26 20:34:00 ------------
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:56 PM

Posted 26 August 2007 - 06:17 AM

Is IProtectYou/SoftFor You something that is installed by your or your parents? :thumbsup:

I can see it's a parental control/internet filtering package, however some of the sites and programs flag it as spyware because it logs keystrokes and obviously monitors internet use. Or is it something that has been installed and uninstalled? There's a few files related to it in your log.

Please surf here and paste the following filepath to the blank box;

c:\documents and settings\mum & dad\local settings\temp\oflpydin.sys

Hit Send file and wait for the scanners finish. Once done, please paste the results here.

firefox.exe, iexplorer.exe or wmplayer.exe

iexplorer.exe or iexplore.exe ?

Have you used the scan for known applications -function in Comodo Firewall?
Hi there, stranger!

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:56 PM

Posted 26 August 2007 - 06:35 AM

Also..

Please download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan.
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply.

Hi there, stranger!

#6 annabackwards

annabackwards
  • Topic Starter

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 27 August 2007 - 01:47 AM

I was trialling iprotectyou before in a bid to prevent any annoying popups on internet explorer, but it was useless.
So i uninstalled it.

Yes, i have used the function you mentioned before and done it again just for good measure. The same thing happened though.
That is why i thought it was a sign of malware on my computer attempting to search the net so it can update itself.

Heres the result for virustotal:
Antivirus Version Last Update Result
AhnLab-V3 2007.8.25.0 2007.08.27 -
AntiVir 7.4.1.63 2007.08.26 -
Authentium 4.93.8 2007.08.26 -
Avast 4.7.1029.0 2007.08.27 -
AVG 7.5.0.484 2007.08.27 -
BitDefender 7.2 2007.08.27 -
CAT-QuickHeal 9.00 2007.08.25 -
ClamAV 0.91 2007.08.27 -
DrWeb 4.33 2007.08.27 -
eSafe 7.0.15.0 2007.08.26 -
eTrust-Vet 31.1.5085 2007.08.24 -
Ewido 4.0 2007.08.26 -
FileAdvisor 1 2007.08.27 -
Fortinet 2.91.0.0 2007.08.27 -
F-Prot 4.3.2.48 2007.08.26 -
F-Secure 6.70.13030.0 2007.08.27 -
Ikarus T3.1.1.12 2007.08.27 -
Kaspersky 4.0.2.24 2007.08.27 -
McAfee 5105 2007.08.24 -
Microsoft 1.2803 2007.08.27 -
NOD32v2 2485 2007.08.26 -
Norman 5.80.02 2007.08.24 -
Panda 9.0.0.4 2007.08.26 -
Prevx1 V2 2007.08.27 -
Rising 19.38.01.00 2007.08.27 -
Sophos 4.21.0 2007.08.27 -
Sunbelt 2.2.907.0 2007.08.25 -
Symantec 10 2007.08.27 -
TheHacker 6.1.9.173 2007.08.27 -
VBA32 3.12.2.3 2007.08.26 -
VirusBuster 4.3.26:9 2007.08.26 -
Webwasher-Gateway 6.0.1 2007.08.27 -
Additional information
File size: 15872 bytes
MD5: 5012f080fccf701e2cd6b045ac7814d9
SHA1: 2e8265294f3deea45512a44958eeac38c41f5453

Here's the result for GMER:
GMER 1.0.13.12551 - http://www.gmer.net
Rootkit scan 2007-08-26 22:26:37
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.13 ----

SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwConnectPort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreatePort
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenSection
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetContextThread
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetInformationFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwSetValueKey
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwShutdownSystem
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFile
SSDT \SystemRoot\System32\DRIVERS\cmdmon.sys ZwWriteFileGather

---- User code sections - GMER 1.0.13 ----

.text C:\Program Files\Comodo\Firewall\CPF.exe[2356] ntdll.dll!LdrLoadDll 7C9161CA 3 Bytes [ FF, 25, 1E ]
.text C:\Program Files\Comodo\Firewall\CPF.exe[2356] ntdll.dll!LdrLoadDll + 4 7C9161CE 2 Bytes [ 05, 5F ]
.text C:\Program Files\Comodo\Firewall\CPF.exe[2356] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F08001E

---- Kernel IAT/EAT - GMER 1.0.13 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F75426D0] inspect.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F7542730] inspect.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F7542950] inspect.sys
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F7542910] inspect.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F7542910] inspect.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F7542730] inspect.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F75426D0] inspect.sys
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7542950] inspect.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7542950] inspect.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F7542910] inspect.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F7542730] inspect.sys
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F75426D0] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F7542910] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F75426D0] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F7542730] inspect.sys
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7542950] inspect.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F75426D0] inspect.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F7542730] inspect.sys
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F7542910] inspect.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7542950] inspect.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F7542910] inspect.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F7542730] inspect.sys
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F75426D0] inspect.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F7542910] inspect.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7542950] inspect.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F75426D0] inspect.sys
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F7542730] inspect.sys

---- Devices - GMER 1.0.13 ----

AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F73D11DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_NAMED_PIPE [F73D11DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLOSE [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_READ [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_WRITE [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_EA [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_EA [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FLUSH_BUFFERS [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_VOLUME_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_VOLUME_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DIRECTORY_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_FILE_SYSTEM_CONTROL [F73D1454] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_INTERNAL_DEVICE_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SHUTDOWN [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_LOCK_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CLEANUP [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE_MAILSLOT [F73D11DE] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_SECURITY [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_SECURITY [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_POWER [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SYSTEM_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_DEVICE_CHANGE [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_QUERY_QUOTA [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Ntfs \Ntfs IRP_MJ_SET_QUOTA [F73C4F4C] fltmgr.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F5975A6A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [F5975A16] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_READ [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F597594A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F597585E] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F59759B8] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F5975A6A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [F5975A16] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_READ [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F597594A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F597585E] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F59759B8] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F5975A6A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [F5975A16] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_READ [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F597594A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F597585E] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F59759B8] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F5975A6A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [F5975A16] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_READ [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F597594A] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F597585E] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F59759B8] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F5975B12] cmdmon.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE [F73D11DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_NAMED_PIPE [F73D11DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLOSE [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_READ [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_WRITE [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_EA [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_EA [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FLUSH_BUFFERS [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_VOLUME_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_VOLUME_INFORMATION [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DIRECTORY_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_FILE_SYSTEM_CONTROL [F73D1454] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_INTERNAL_DEVICE_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SHUTDOWN [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_LOCK_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CLEANUP [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_CREATE_MAILSLOT [F73D11DE] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_SECURITY [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_SECURITY [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_POWER [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SYSTEM_CONTROL [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_DEVICE_CHANGE [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_QUERY_QUOTA [F73C4F4C] fltmgr.sys
AttachedDevice \FileSystem\Fastfat \Fat IRP_MJ_SET_QUOTA [F73C4F4C] fltmgr.sys

---- Files - GMER 1.0.13 ----

ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\01\38-{58E4D4C8-B0FD-833A-10CC-C26136DE2304}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v38-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\33\40-{0F270344-890F-4B7A-9694-9A7CF6E3E008}-v33-{0F270344-890F-4B7A-9694-9A7CF6E3E008}-v40-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\33\40-{0F270344-890F-4B7A-9694-9A7CF6E3E008}-v33-{0F270344-890F-4B7A-9694-9A7CF6E3E008}-v40-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\39\41-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v39-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v41-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\39\41-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v39-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v41-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\39\41-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v39-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v41-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\drift.ap@hotmail.com\DFSR\Staging\CS{3D8E335F-6ABC-4497-2BF2-44407AA11E36}\01\56-{3D8E335F-6ABC-4497-2BF2-44407AA11E36}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v56-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\freddie_flintoff_is_class@hotmail.com\DFSR\Staging\CS{DFD24CE0-10B0-8B39-84BE-B1220E9A9BD8}\01\75-{DFD24CE0-10B0-8B39-84BE-B1220E9A9BD8}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v75-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\jessy_rocks91@hotmail.com\DFSR\Staging\CS{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}\01\52-{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v52-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\jessy_rocks91@hotmail.com\DFSR\Staging\CS{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}\65\71-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v65-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v71-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\jessy_rocks91@hotmail.com\DFSR\Staging\CS{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}\65\71-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v65-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v71-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\jessy_rocks91@hotmail.com\DFSR\Staging\CS{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}\65\71-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v65-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v71-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\01\42-{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v42-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\43\47-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v43-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v47-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\43\47-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v43-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v47-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\45\48-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v45-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v48-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\45\48-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v45-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v48-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\46\49-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v46-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v49-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\46\49-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v46-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v49-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\50\51-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v50-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v51-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\50\51-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v50-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v51-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\50\51-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v50-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v51-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\lem-711@hotmail.com\DFSR\Staging\CS{C9211A4D-1FB5-D57D-243F-7458DF8912DC}\01\59-{C9211A4D-1FB5-D57D-243F-7458DF8912DC}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v59-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\lem-711@hotmail.com\DFSR\Staging\CS{C9211A4D-1FB5-D57D-243F-7458DF8912DC}\60\61-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v60-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v61-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\lem-711@hotmail.com\DFSR\Staging\CS{C9211A4D-1FB5-D57D-243F-7458DF8912DC}\60\61-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v60-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v61-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\stacy_ridge@hotmail.com\DFSR\Staging\CS{BCA8DBB1-F444-6B55-A37E-FF11779EAD1B}\01\84-{BCA8DBB1-F444-6B55-A37E-FF11779EAD1B}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v84-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\stacy_ridge@hotmail.com\DFSR\Staging\CS{BCA8DBB1-F444-6B55-A37E-FF11779EAD1B}\85\88-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v85-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v88-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\stacy_ridge@hotmail.com\DFSR\Staging\CS{BCA8DBB1-F444-6B55-A37E-FF11779EAD1B}\85\88-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v85-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v88-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\stacy_ridge@hotmail.com\DFSR\Staging\CS{BCA8DBB1-F444-6B55-A37E-FF11779EAD1B}\85\88-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v85-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v88-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\tootiehogan@hotmail.com\DFSR\Staging\CS{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}\01\80-{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}-v1-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v80-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\tootiehogan@hotmail.com\DFSR\Staging\CS{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}\81\83-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v81-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v83-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\tootiehogan@hotmail.com\DFSR\Staging\CS{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}\81\83-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v81-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v83-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.2
ADS C:\Documents and Settings\annA.ANNA-1PQCY3C8D7\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\tootiehogan@hotmail.com\DFSR\Staging\CS{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}\81\83-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v81-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v83-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\01\12-{58E4D4C8-B0FD-833A-10CC-C26136DE2304}-v1-{5EC8DEF1-7DFB-42C0-A317-E8442CC1729B}-v12-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\baybii_princeza@hotmail.com\DFSR\Staging\CS{58E4D4C8-B0FD-833A-10CC-C26136DE2304}\39\15-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v39-{0F270344-890F-4B7A-9694-9A7CF6E3E008}-v15-Partial.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\jessy_rocks91@hotmail.com\DFSR\Staging\CS{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}\01\11-{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}-v1-{5EC8DEF1-7DFB-42C0-A317-E8442CC1729B}-v11-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\jessy_rocks91@hotmail.com\DFSR\Staging\CS{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}\65\71-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v65-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v71-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.rdc.1
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\jessy_rocks91@hotmail.com\DFSR\Staging\CS{D68D1B0B-E207-7963-E7BC-B7CF7E24877C}\65\71-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v65-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v71-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\01\10-{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}-v1-{5EC8DEF1-7DFB-42C0-A317-E8442CC1729B}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\43\47-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v43-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v47-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\45\48-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v45-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v48-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\46\49-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v46-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v49-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\josephjmc11@hotmail.com\DFSR\Staging\CS{8BFFBB31-A554-2779-C5C6-FE3D892F7A53}\50\51-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v50-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v51-Partial.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\lem-711@hotmail.com\DFSR\Staging\CS{C9211A4D-1FB5-D57D-243F-7458DF8912DC}\01\13-{C9211A4D-1FB5-D57D-243F-7458DF8912DC}-v1-{5EC8DEF1-7DFB-42C0-A317-E8442CC1729B}-v13-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\stacy_ridge@hotmail.com\DFSR\Staging\CS{BCA8DBB1-F444-6B55-A37E-FF11779EAD1B}\01\15-{BCA8DBB1-F444-6B55-A37E-FF11779EAD1B}-v1-{5EC8DEF1-7DFB-42C0-A317-E8442CC1729B}-v15-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\tootiehogan@hotmail.com\DFSR\Staging\CS{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}\01\16-{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}-v1-{5EC8DEF1-7DFB-42C0-A317-E8442CC1729B}-v16-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS
ADS C:\Documents and Settings\Mum & Dad\Local Settings\Application Data\Microsoft\Messenger\anguyen2161@hotmail.com\SharingMetadata\tootiehogan@hotmail.com\DFSR\Staging\CS{3856E74C-DC05-CFB0-8E8E-5CCF63F377FF}\81\83-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v81-{1C6ABECA-7BF4-40C6-B116-3F1359F305A7}-v83-Partial.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS

---- EOF - GMER 1.0.13 ----

You didn't ask for a HJT log....I'll put one anyways but if you don't need it then please ignore it:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:34 PM, on 27/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\a-squared Free\a2service.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Comodo\CBOClean\BOCORE.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\CTSvcCDA.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\HJT\HijackThis.exe
C:\Program Files\AntiVir PersonalEdition Classic\avnotify.exe
C:\Program Files\AntiVir PersonalEdition Classic\avscan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost;
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Dictionary.com - {11359F4A-B191-42d7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O2 - BHO: QFX Software KeyScrambler - {2B9F5787-88A5-4945-90E7-C4B18563BC5E} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (disabled by BHODemon)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: Dictionary.com - {11359F4A-B191-42D7-905A-594F8CF0387B} - C:\WINDOWS\Downloaded Program Files\lexbar.dll (file missing)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [BOC-424] C:\PROGRA~1\Comodo\CBOClean\BOC424.exe
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Search &Dictionary - C:\Program files\Lexico\Toolbar\dictionary.htm
O8 - Extra context menu item: Search &Thesaurus - C:\Program files\Lexico\Toolbar\thesaurus.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\keyscramblerIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://annabackwards.spaces.live.com//Phot...ad/MsnPUpld.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {F0E2D69A-DC2F-4E9B-A993-684FB1C21DBC} - http://dictionary.reference.com/tools/toolbar/lexico.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: BOCore - COMODO - C:\Program Files\Comodo\CBOClean\BOCORE.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTSvcCDA.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

--
End of file - 7449 bytes
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#7 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:56 PM

Posted 27 August 2007 - 04:48 AM

I should have posted this earlier but didn't realize. The file your PC was/is infected with, is a Troj/IRCBot-XJ.

More info here. You also said you had 3 trojan backdoors found and removed before you posted the log.

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

We can still continue to clean this machine but I can't guarantee that it will be 100% secure afterwards.

------

However, if you want to continue with the cleaning process you should update your current Avira A/V version.

Latest version is 7.00.04.15. You've got v 6.38.0.225. Get the latest version here. Once updated, please run a complete scan with Avira and see what it finds. :thumbsup:

Post back with the results.
Hi there, stranger!

#8 annabackwards

annabackwards
  • Topic Starter

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 27 August 2007 - 05:19 AM

I will format my computer, reinstall my OS, change my passwords (no back transactions thank god) and update Avira as soon as it's a new month, seeing as my internet right now is way too slow to even try updating.

For now, all i can do is make sure i don't do something silly like make an online transactions or online bank on this computer.

Will get back to you with the results that Avira comes up with (after i reformat)

Thanks heaps for your time :thumbsup:
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#9 annabackwards

annabackwards
  • Topic Starter

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 28 August 2007 - 06:24 AM

Just finished reformatting my computer, and have split my drive in half, so it won't be as painful if i need to do it again.

Do you know of any IP address hiders, just to satisfy my paranoia?

Thanks again
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:56 PM

Posted 28 August 2007 - 07:18 AM

Well actually I don't, I've never used one but I'm sure if you do a simple googlesearch should come up with a few. :thumbsup:
Don't know how good they are but you can always give a try.

Hide IP v.1.0 is one I found but I don't know if it's good or does it's job,
then there's Ninja Surfing etc
Hi there, stranger!

#11 annabackwards

annabackwards
  • Topic Starter

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 29 August 2007 - 02:13 AM

Just updated AVira and scanned my computer.
It only found one file that contained a trace of smitfraud (which i had previously)
Heres the log:
AntiVir PersonalEdition Classic
Report file date: Wednesday, 29 August 2007 15:53

Scanning for 1037656 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: annabackwards
Computer name: ANNA

Version information:
BUILD.DAT : 247 14437 Bytes 5/10/2007 11:55:00
AVSCAN.EXE : 7.0.4.15 282664 Bytes 4/20/2007 03:37:14
AVSCAN.DLL : 7.0.4.4 33832 Bytes 3/27/2007 03:31:54
LUKE.DLL : 7.0.4.11 143400 Bytes 3/27/2007 03:26:04
LUKERES.DLL : 7.0.4.0 10280 Bytes 3/19/2007 03:18:59
ANTIVIR0.VDF : 6.35.0.1 7371264 Bytes 5/31/2006 05:08:58
ANTIVIR1.VDF : 6.39.0.129 7251968 Bytes 7/10/2007 01:03:18
ANTIVIR2.VDF : 6.39.1.43 1542656 Bytes 8/25/2007 01:03:18
ANTIVIR3.VDF : 6.39.1.56 46080 Bytes 8/28/2007 01:03:18
AVEWIN32.DLL : 7.4.1.63 2724352 Bytes 8/29/2007 01:03:19
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 01:36:26
AVPREF.DLL : 7.0.2.1 24616 Bytes 3/27/2007 03:31:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 04:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/29/2007 01:03:20
AVREG.DLL : 7.0.1.2 31784 Bytes 3/15/2007 00:05:08
AVEVTLOG.DLL : 7.0.0.18 86056 Bytes 3/27/2007 03:16:05
AVARKT.DLL : 1.0.0.17 278568 Bytes 5/2/2007 02:32:26
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 02:09:42
RCIMAGE.DLL : 7.0.1.15 2228264 Bytes 3/13/2007 01:46:18
RCTEXT.DLL : 7.0.45.0 86056 Bytes 3/19/2007 03:42:42

Configuration settings for the scan:
Jobname..........................: Manual Selection
Configuration file...............: C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic\PROFILES\folder.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: D:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: All files
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, 29 August 2007 15:53

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'update.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'usnsvc.exe' - '1' Module(s) have been scanned
Scan process 'msnmsgr.exe' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'SpybotSD.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'sgbhp.exe' - '1' Module(s) have been scanned
Scan process 'sgmain.exe' - '1' Module(s) have been scanned
Scan process 'NMBgMonitor.exe' - '1' Module(s) have been scanned
Scan process 'type32.exe' - '1' Module(s) have been scanned
Scan process 'InCD.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'BOC424.EXE' - '1' Module(s) have been scanned
Scan process 'cpf.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'wdfmgr.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'cmdagent.exe' - '1' Module(s) have been scanned
Scan process 'BOCore.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'a2service.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'InCDsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
38 processes with 38 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[NOTE] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'D:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '17' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
Begin scan in 'D:\'
D:\Downloads\SPybot updates\SmitfraudFix.exe
[DETECTION] Contains signature of the dropper DR/Tool.Reboot.F.12
[INFO] The file was moved to '473e122f.qua'!


End of the scan: Wednesday, 29 August 2007 16:29
Used time: 36:21 min

The scan has been done completely.

1899 Scanning directories
99670 Files were scanned
1 viruses and/or unwanted programs were found
0 classified as suspicious:
0 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
99669 Files not concerned
2309 Archives were scanned
1 Warnings
0 Notes
0 Hidden objects were found
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:56 PM

Posted 29 August 2007 - 06:18 AM

Umm that's SmitfraudFix?

D:\Downloads\SPybot updates\SmitfraudFix.exe

This is an false positive. Or did you download SmitfraudFix yourself?
Hi there, stranger!

#13 annabackwards

annabackwards
  • Topic Starter

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 29 August 2007 - 07:18 AM

Hmmm...well i did download SmitfraudFix before to fix the problem

I guess it was still on my computer from that and somehow got into that folder :thumbsup:

Well, at least now i know that if SmitfraudFix is picked up by AVira for the same reason, its a false positive.

Thanks for the info Rawe!!!

So does my computer seem clean now?

The popups from Comodo aren't popping up anymore and all seems fine
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:08:56 PM

Posted 29 August 2007 - 08:18 AM

Yup seems to be looking good :thumbsup:
Hi there, stranger!

#15 annabackwards

annabackwards
  • Topic Starter

  • Members
  • 1,381 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Sydney, Australia.
  • Local time:04:56 AM

Posted 30 August 2007 - 03:31 AM

thanx for the help :thumbsup:
Posted Image

Surf smarter, surf faster, surf safer, surf with Mozilla Firefox




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users