Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Pcsecuitylab Crap


  • Please log in to reply
7 replies to this topic

#1 sharster

sharster

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 14 September 2007 - 03:11 PM

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:10:38 PM, on 9/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: msscds32.msdn_hlp - {ED3912DF-EE05-4242-89D9-D31EFE9D4AF4} - C:\WINDOWS\system32\msscds32.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167510679\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167604245484
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7425 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 15 September 2007 - 08:22 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum sharster :thumbsup:
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


Download Combofix and save to your desktop:
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 sharster

sharster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 17 September 2007 - 04:24 PM

Sorry this is a friends computer and he was away for the weekend...will have this stuff done a little later today

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 17 September 2007 - 06:13 PM

Ok,thanks for the update.
Posted Image
Posted Image

#5 sharster

sharster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 17 September 2007 - 07:30 PM

Here yah go


SDFix: Version 1.105

Run by Owner on Mon 09/17/2007 at 04:33 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...


Normal Mode:
Checking Files:

No Trojan Files Found




Removing Temp Files...

ADS Check:

C:\WINDOWS
No streams found.

C:\WINDOWS\system32
No streams found.

C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------




Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"="C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe:*:Enabled:AOL Application Loader"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe:*:Enabled:AOL"
"C:\\Program Files\\America Online 9.0\\waol.exe"="C:\\Program Files\\America Online 9.0\\waol.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe:*:Enabled:AOLTsMon"
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"="C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe:*:Enabled:AOLTopSpeed"
"C:\\Program Files\\Common Files\\AOL\\1167510679\\EE\\AOLServiceHost.exe"="C:\\Program Files\\Common Files\\AOL\\1167510679\\EE\\AOLServiceHost.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"="C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"="C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe:*:Enabled:AOL"
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"="C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe:*:Enabled:AOL"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgemc.exe:*:Enabled:avgemc.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------


Files with Hidden Attributes:

C:\My Backup -- 06-12-30 1228PM\Program Files\America Online 9.0\AOLphx.exe
C:\My Backup -- 06-12-30 1228PM\Program Files\America Online 9.0\rbm.exe
C:\Program Files\America Online 9.0\AOLphx.exe
C:\Program Files\America Online 9.0\rbm.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\My Backup -- 06-12-30 1228PM\WINDOWS\SoftwareDistribution\Download\S-1-5-18\1e5ec4df8aa14429fbc4248d2856f6f4\BITE2.tmp

Finished!

ComboFix 07-09-18 - "Owner" 2007-09-17 16:59:57.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.39 [GMT -7:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\DOCUME~1\Owner\APPLIC~1\macromedia\Flash Player\#SharedObjects\9HKBECCJ\www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\DOCUME~1\Owner\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\WINDOWS\180ax.exe
C:\WINDOWS\2020search.dll
C:\WINDOWS\2020search2.dll
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bjam.dll
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\stcloader.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\drivers\alert_icon.gif
C:\WINDOWS\system32\drivers\blank.gif
C:\WINDOWS\system32\drivers\box_1.gif
C:\WINDOWS\system32\drivers\box_2.gif
C:\WINDOWS\system32\drivers\box_3.gif
C:\WINDOWS\system32\drivers\button_buynow.gif
C:\WINDOWS\system32\drivers\button_freescan.gif
C:\WINDOWS\system32\drivers\close_icon.gif
C:\WINDOWS\system32\drivers\detect.htm
C:\WINDOWS\system32\drivers\download_box.gif
C:\WINDOWS\system32\drivers\footer_back.jpg
C:\WINDOWS\system32\drivers\header_1.gif
C:\WINDOWS\system32\drivers\header_2.gif
C:\WINDOWS\system32\drivers\header_3.gif
C:\WINDOWS\system32\drivers\header_4.gif
C:\WINDOWS\system32\drivers\header_bg.gif
C:\WINDOWS\system32\drivers\icon_warning.gif
C:\WINDOWS\system32\drivers\infected.gif
C:\WINDOWS\system32\drivers\main_back.gif
C:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
C:\WINDOWS\system32\drivers\product_1_header.gif
C:\WINDOWS\system32\drivers\product_1_name_small.gif
C:\WINDOWS\system32\drivers\product_2_header.gif
C:\WINDOWS\system32\drivers\product_2_name_small.gif
C:\WINDOWS\system32\drivers\product_3_header.gif
C:\WINDOWS\system32\drivers\product_3_name_small.gif
C:\WINDOWS\system32\drivers\product_features.gif
C:\WINDOWS\system32\drivers\pt.htm
C:\WINDOWS\system32\drivers\remove_spyware_button.gif
C:\WINDOWS\system32\drivers\s_detect.htm
C:\WINDOWS\system32\drivers\secuity_center_logo.gif
C:\WINDOWS\system32\drivers\sep_hor.gif
C:\WINDOWS\system32\drivers\sep_vert.gif
C:\WINDOWS\system32\drivers\shadow.jpg
C:\WINDOWS\system32\drivers\spacer.gif
C:\WINDOWS\system32\drivers\spy_away_box.jpg
C:\WINDOWS\system32\drivers\star.gif
C:\WINDOWS\system32\drivers\star_gray.gif
C:\WINDOWS\system32\drivers\star_gray_small.gif
C:\WINDOWS\system32\drivers\star_small.gif
C:\WINDOWS\system32\drivers\style.css
C:\WINDOWS\system32\drivers\v.gif
C:\WINDOWS\system32\drivers\warning_icon.gif
C:\WINDOWS\system32\drivers\win_logo.gif
C:\WINDOWS\system32\drivers\x.gif
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\msscds32.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\vxddsk.exe
C:\WINDOWS\wml.exe
E:\Autorun.inf

.
((((((((((((((((((((((((( Files Created from 2007-08-18 to 2007-09-18 )))))))))))))))))))))))))))))))
.

2007-09-17 16:58 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-17 16:30 <DIR> d-------- C:\WINDOWS\ERUNT
2007-09-14 13:10 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-13 16:06 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-09-13 16:06 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-09-13 16:06 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-09-13 16:06 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-09-06 16:36 <DIR> d-------- C:\WINDOWS\pss
2007-09-05 16:47 3,168 --a------ C:\WINDOWS\system32\tmp.reg
2007-09-05 16:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-09-05 16:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\You've Got Pictures Screensaver
2007-09-05 16:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-09-05 16:39 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\AOL
2007-08-30 14:43 <DIR> d-------- C:\Program Files\Lavasoft
2007-08-30 14:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-08-30 14:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-30 14:25 <DIR> d-------- C:\Program Files\NoAdware5.0
2007-08-19 13:44 4 --a------ C:\WINDOWS\system32\stfv.bin

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-08-30 14:19 44288 --a------ C:\WINDOWS\system32\drivers\cdr4_xp.sys
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-06-25 23:08 1104896 --a------ C:\WINDOWS\system32\msxml3.dll
2007-06-19 06:31 282112 --a------ C:\WINDOWS\system32\gdi32.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000250-0320-4dd4-be4f-7566d2314352}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{13197ace-6851-45c3-a7ff-c281324d5489}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{30000273-8230-4dd4-be4f-6889d1e74167}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e1075f4-eec4-4a86-add7-cd5f52858c31}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4e7bd74f-2b8d-469e-92c6-ce7eb590a94d}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5dafd089-24b1-4c5e-bd42-8ca72550717b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8674aea0-9d3d-11d9-99dc-00600f9a01f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{965a592f-8efa-4250-8630-7960230792f1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{cf021f40-3e14-23a5-cba2-717765728274}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{fc3a74e5-f281-4f10-ae1e-733078684f3c}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-01-12 04:01]
"Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2006-12-30 13:15]
"RTHDCPL"="RTHDCPL.EXE" [2006-04-04 03:44 C:\WINDOWS\RTHDCPL.exe]
"Recguard"="%WINDIR%\SMINST\RECGUARD.EXE" []
"Reminder"="%WINDIR%\Creator\Remind_XP.exe" []
"HostManager"="C:\Program Files\Common Files\AOL\1167510679\EE\AOLHostManager.exe" []
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-13 08:34]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-17 09:25]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2006-03-30 17:45]
"OfotoNow USB Detection"="C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Power2GoExpress"=NA

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 02:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

S3 RTLWUSB;NETGEAR WG111v2 54Mbps Wireless USB 2.0 Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\wg111v2.sys

*Newly Created Service* - GTNDIS5
.
Contents of the 'Scheduled Tasks' folder
"2007-09-06 00:37:36 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-09-18 17:07:42
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-09-18 17:14:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-18 17:14
.
--- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:29:04 PM, on 9/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167510679\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167604245484
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 7388 bytes

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 18 September 2007 - 03:48 AM

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)

Exit Hijackthis.

Find and delete:
C:\WINDOWS\system32\stfv.bin

Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 sharster

sharster
  • Topic Starter

  • Members
  • 14 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:09:52 AM

Posted 19 September 2007 - 05:14 PM

Computer seems much better thank you.

Here are the logs

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 09/19/2007 at 06:37 PM

Application Version : 3.9.1008

Core Rules Database Version : 3308
Trace Rules Database Version: 1314

Scan type : Complete Scan
Total Scan Time : 03:27:18

Memory items scanned : 413
Memory threats detected : 0
Registry items scanned : 4963
Registry threats detected : 0
File items scanned : 257782
File threats detected : 198

Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@roiservice[1].txt
C:\Documents and Settings\Owner\Cookies\owner@qksrv[2].txt
C:\Documents and Settings\Owner\Cookies\owner@2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@apmebf[2].txt
C:\Documents and Settings\Owner\Cookies\owner@perf.overture[1].txt
C:\Documents and Settings\Owner\Cookies\owner@stats.becu[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@2o7[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@ad.yieldmanager[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@ads.pointroll[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@advertising[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@atdmt[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@casalemedia[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@citi.bridgetrack[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@edge.ru4[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@ehg-verizoncommunications.hitbox[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@fastclick[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@indexstats[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@mediaplex[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@realmedia[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@sales.liveperson[2].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@server.iad.liveperson[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@tribalfusion[1].txt
C:\My Backup -- 06-12-30 1228PM\Documents and Settings\Owner\Cookies\owner@zedo[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wfkyomc5wloq-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wjl4ugd5kgpa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1gajcgqaidj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1kazikpw2dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1lajsfpqqdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sdjcepqudj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1sdjkkpq6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@-1shz2prbmdj6wvny-1sez2pra2dj6wjnyogdpacqa-1dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@112.2o7[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@247realmedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@2o7[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1mcjalpaudj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1mczokow6dj6x9ny-1seq-2-2.stats.esomniture[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@a-1shz2prbmdj6wvny-1sez2pra2dj6wjny-1odjwaog6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@a.websponsors[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ad.usatoday[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@adbrite[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@adcentriconline[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@admarketplace[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@adopt.euroclick[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@adopt.specificclick[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@adorigin[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@adprofile[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.addesktop[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.adorigin[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.as4x.tmcs.ticketmaster[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.as4x.tmcs[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.gorillanation[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.partyradio[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.pointroll[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.specificclick[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads.vnuemedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads1.rodale[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ads4.clearchannel[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@adultfriendfinder[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@advertising[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@atdmt[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@atwola[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@azjmp[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@banner.aspinallsonlinecasino[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@banner1.inet-traffic[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@bannerspace[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@bestoffersnetworks[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@bizrate[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@bluestreak[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@btg.btgrab[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@burstnet[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@casalemedia[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@cassava[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@cbs.112.2o7[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@clickability[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@cliks[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@cz4.clickzs[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@cz6.clickzs[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@cz7.clickzs[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@dealtime[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@deletenow.directtrack[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@directtrack[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@discount-adult-shop[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@dist.belnk[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@doubleclick[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@e-2dj6wjlyugd5odo.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@e-2dj6wjny-1sd5sk.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@edge.ru4[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ehg-ads.hitbox[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ehg-foxsports.hitbox[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@ehg-phe.hitbox[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@emarketmakers[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@exitexchange[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@fastclick[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@gostats[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@hitbox[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@http.edge.vru4[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@icc.intellisrv[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@indextools[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@install.xxxtoolbar[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@intellisrv[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@livestats.mediaclay[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@mediamgr.ugo[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@mediaplex[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@media[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@medium21.directtrack[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@metareward[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@msnportal.112.2o7[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@netfastmedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@newsexgallery[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@nextag[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@offeroptimizer[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@offeroptimizer[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@offeroptimizer[4].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@offeroptimizer[5].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@onlinerewardcenter[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@partner2profit[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@partypoker[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@pch.122.2o7[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@questionmarket[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@realmedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@rightmedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@roiservice[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@rotator.adjuggler[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@rxxx[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@sales.liveperson[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@server.iad.liveperson[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@serving-sys[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@specificpop[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@stat.dealtime[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@tacoda[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@teensforcash[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@tour.splash.sexsearch[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@tracking.cashpartner[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@tracking[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@webpower[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@windowsmedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.adultplayersclub[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.azoogleads[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.burstbeacon[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.countercentral[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.coversexperts[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.dgm2[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.directnetadvertising[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.epilot[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.goldentigercasino[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.jointheporn[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.somethingsexyplanet[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.ticketsnow1[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.ticketsnow[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.vnuemedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.windowsmedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.xxx69[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.xxxtoolbar[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@www.yfdmedia[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wfk4wnd5obqaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkiaodjsgqaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkogldpkhpawdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wfkyqnazokqa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4chdzwcowudj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjk4cncpolpaidj6x9ny-1seq-2-2.stats.esomniture[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoahdjohowsdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkoeocpkfoa6dj6x9ny-1seq-2-2.stats.esomniture[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkokodzghogidj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkowjajcbow2dj6x9ny-1seq-2-2.stats.esomniture[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyagdjkkpw6dj6x9ny-1seq-2-2.stats.esomniture[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkycgcpilpwudj6x9ny-1seq-2-2.stats.esomniture[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyogcpcfoaudj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyohajodowsdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkysmc5aeoasdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkyujajodpwudj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjkywgc5ehpa2dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliakazwlqq2dj6x9ny-1seq-2-2.stats.esomniture[1].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliohcpkbow6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjliulczgkpqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlocidjeeog6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjloehdjcboq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlyeld5mkpqidj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjlysmdpkhowwdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmicndpogpwqdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjmigmcpoloqydj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyamazocpgydj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnycmcpiaoa6dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyeoazsgpgudj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyeocpkbpq2dj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyggc5afoaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygiazefpgydj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnygkdpifqqwdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyoic5oaoaqdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyolczshqqmdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@y-1shz2prbmdj6wvny-1sez2pra2dj6wjnyuhdpakqqsdj6x9ny-1seq-2-2.stats.esomniture[2].txt
D:\Documents and Settings\cobra_39\Cookies\cobra_39@youcansave.directtrack[2].txt

Trojan.Downloader-FakeRX
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MSSCDS32.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{F845E3DB-F751-4BE4-A620-64F2CA1BFB5F}\RP229\A0016821.DLL

Torjan.SecondThoughtInstaller
C:\WINDOWS\INSTALLER\ID53.EXE

Adware.WhenU
D:\DOCUMENTS AND SETTINGS\COBRA_39\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\QL5A7EHW\SAVEUPDATE[1].EXE


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:13:00 PM, on 9/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
C:\Program Files\Google\Google Desktop Search\GoogleDesktopDisplay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe
C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WMP54Gv4.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\msiexec.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = "C:\Program Files\Outlook Express\msimn.exe"
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\windows\system32\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Recguard] %WINDIR%\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [Reminder] %WINDIR%\Creator\Remind_XP.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1167510679\EE\AOLHostManager.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [OfotoNow USB Detection] C:\WINDOWS\system32\RunDLL32.exe C:\PROGRA~1\Ofoto\OfotoNow\OFUSBS.DLL,WatchForConnection OfotoNow
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [Power2GoExpress] NA (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Power2GoExpress] NA (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1167604245484
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: PrismXL - New Boundary Technologies, Inc. - C:\Program Files\Common Files\New Boundary\PrismXL\PRISMXL.SYS
O23 - Service: WMP54Gv4SVC - GEMTEKS - C:\Program Files\Linksys Wireless-G PCI Wireless Network Monitor\WLService.exe

--
End of file - 6647 bytes

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:06:52 PM

Posted 19 September 2007 - 05:38 PM

Your log is clean :thumbsup:
If all's ok,please do the following.
Find and delete:
Combofix.exe
SDFix.exe

C:\qoobox
C:\SDFix

Download and install CCleaner:
http://www.ccleaner.com/download/builds/downloading-slim

Set Options in CCleaner and run Cleaning Scan.
Open CCleaner if it's not already running.
*Note*
Do not use the Issues block to clean anything with this program.
It is for experts only and it is risky.

Select Cleaner Settings.
Check Internet Explorer, Windows Explorer, and System so that all items are checked.
In the Advanced section,have a check only on Old PreFetch Data.

Click on the Options block on the left.
Select Advanced.
Uncheck "Only delete files in Windows Temp folders older than 48 hours".

Set Cookie Retention.
Click on the Options block on the left, then choose Cookies.
Under the Cookies to delete pane, highlight any cookies you would like to retain permanently (those companies or sites with which you regularly visit or do business), and click the right arrow > to move them to the Cookies to keep pane.

Run Cleaning Scan.
Click on the Cleaner block on the left.
Choose the Windows tab.
Click the Run Cleaner button.
This process could take a while.
When CCleaner shows how much has been removed,cleaning is finished.


Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

Read through the information found here,to help you prevent any possible future infections.
'How to prevent Malware' by miekiemoes:
http://users.telenet.be/bluepatchy/miekiem...prevention.html
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users