Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Really Need Help With W32.trojan.... Winlogan.exe


  • Please log in to reply
13 replies to this topic

#1 Infamous33

Infamous33

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 December 2007 - 03:04 PM

Hello all, I hope someone can help.
I seem to have a nasty virus right now. I have gone through and cleaned up many, many items...
It appears that I have the worst bug that I have ever seen, my control panel icon is gone, the comp shuts down if I navigate close to any of 'it's' files. It has now started internet redirecting.
Ad aware 2007 and spybot S&D either come up with exceptions or cause reboot.
I can only run smart scan in AAW, and every time it finds @100-130 files, with the main one being Win32.Trojan.BHO .
I have done some research, as I normally can catch and clean these things, and it seems I have a version of the sasser....
I have posted the most recent HJT, after I played for a bit with it.
Note: I removed the 04 ----------- winlogan.exe lines, there were 2, hoping to get the pc back long enuf to run aaw or s&d.
Thanks in advance for any help !!!
Edit: I could not run any online scans, as it either shuts them down, locks the pc or redirects...
Also, I could not run any checks or the AV programs in safe mode, both aaw and SB come up with an error like 'the file has been changed and aaw could not continue'
Hope this helps, I tried to run everything you ask for before posting, just too hard.

Hope I posted this correctly....
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:32:20 PM, on 12/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\shell.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\shell.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: C:\WINDOWS\system32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O2 - BHO: C:\WINDOWS\system32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Smapp] C:\Program Files\Analog Devices\SoundMAX\SMTray.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Uninstall Information] C:\WINDOWS\TEMP\inyuleja.exe
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [JumpStart Spy Masters] C:\WINDOWS\TEMP\inyuleja.exe
O4 - HKLM\..\Run: [Norton AntiVirus] C:\WINDOWS\TEMP\inyuleja.exe
O4 - HKLM\..\Run: [ffdshow] C:\WINDOWS\TEMP\inyuleja.exe
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - Startup: findfast.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197655950875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://www.ins-squad.com/LaunchGame.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482B60C4-66EE-4206-A2FA-9A205B705494}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{864AF381-8CDD-4C8C-BD74-523A5FE1B32B}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{F307CBDC-C5FF-4E1E-A2BE-D14ABDD580D4}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O20 - AppInit_DLLs: C:\WINDOWS\system32\wowfx.dll
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 11398 bytes

Thanks again,
Infamous

Edited by Infamous33, 14 December 2007 - 03:22 PM.


BC AdBot (Login to Remove)

 


m

#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 14 December 2007 - 08:04 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum Infamous33
My name is Richie and i'll be helping you to fix your problems.

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Disconnect from the Internet.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 Infamous33

Infamous33
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 14 December 2007 - 10:19 PM

Well, I tried to run the program and it restarted the pc while in safe mode. I disabled auto restart and reran the program 3 more times.
It got to the point of checking files, stopped at 75% complete and hung for about 5 minutes before shutting that prog. down and sitting at a blank screen.
All three times I got the same result, any ideas???
Here is the report file, not sure if it is any good though.
I did recieve a bunch of bad windows image notices when the pc restarted. They indicated a 'wowfx'dll file.
Hopefully this helps alil, and thanks for everything !!
SDFix: Version 1.118

Run by Administrator on Fri 12/14/2007 at 09:33 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft Inet Service
Microsoft Inet Service

Path:

Microsoft Inet Service - Deleted
Microsoft Inet Service - Deleted

Killing PID 360 'shell.exe'
Killing PID 360 'shell.exe'
Killing PID 1108 'shell.exe'
Killing PID 360 'shell.exe'
Killing PID 1108 'shell.exe'
Killing PID 1140 'shell.exe'

that should be the newest file, as it is named simply report
here is the other file called report 1, not sure if it will help either
SDFix: Version 1.118

Run by Administrator on Fri 12/14/2007 at 09:21 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
Microsoft Inet Service

Path:
C:\WINDOWS\system32\_svchost.exe -A

Microsoft Inet Service - Deleted

Killing PID 360 'shell.exe'
Killing PID 360 'shell.exe'
Killing PID 1108 'shell.exe'


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 December 2007 - 08:00 AM

Follow the Combofix instructions now please.

If you have problems running Combofix,do the following instead:

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#5 Infamous33

Infamous33
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 15 December 2007 - 09:38 AM

Hey Richie,
The first time I ran combofix, it hung and explorer quit. It did get part way thru it's process tho. I had to restart the pc and when I did, everything seemed better.
I found the combofix.txt file and it was all but blank.
My control panel came back and I was able to go into it as well. I reran combofix due to the fact that it didn't complete it's processes that I could tell.
Everything went perfectly the second time and here is the logfile. Not sure if it will do any good, as it is the same file that was saved the first time.


ComboFix 07-12-15.5 - Administrator 2007-12-15 9:16:28.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.728 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.

Here is the latest HJT logfile, perhaps this will tell you more?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 09:22, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: C:\WINDOWS\system32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O2 - BHO: C:\WINDOWS\system32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197655950875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://www.ins-squad.com/LaunchGame.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482B60C4-66EE-4206-A2FA-9A205B705494}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{864AF381-8CDD-4C8C-BD74-523A5FE1B32B}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{F307CBDC-C5FF-4E1E-A2BE-D14ABDD580D4}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8207 bytes

Thank you very much for your efforts, my wife and I are very pleased. Now I can keep her from using my gaming pc !!!!
I will wait to here from you before I run AAW or SB. Thanks again

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 December 2007 - 09:42 AM

Please download Deckard's System Scanner (DSS) and save it to your Desktop.
* Close all other windows before proceeding.
* Double-click on dss.exe and follow the prompts.
* When it has finished, DSS will open two Notepads: main.txt and extra.txt
* Use Save As to save both Notepad files to your Desktop and post them in your next reply.
Posted Image
Posted Image

#7 Infamous33

Infamous33
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 15 December 2007 - 10:51 AM

Here are the 2 files, sorry if I misunderstood before.


Deckard's System Scanner v20071014.68
Run by Administrator on 2007-12-15 10:40:01
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
74: 2007-12-15 15:40:13 UTC - RP541 - Deckard's System Scanner Restore Point
73: 2007-12-15 14:12:28 UTC - RP540 - Removed Norton WMI Update
72: 2007-12-15 13:51:58 UTC - RP539 - ComboFix created restore point
71: 2007-12-13 21:50:06 UTC - RP538 - Installed Ad-Aware 2007
70: 2007-10-27 12:21:50 UTC - RP537 - Installed Java™ 6 Update 3


-- First Restore Point --
1: 2006-01-14 05:11:46 UTC - RP468 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:41, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\PROGRA~1\AWS\WEATHE~1\Weather.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Administrator.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: C:\WINDOWS\system32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O2 - BHO: C:\WINDOWS\system32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
O4 - HKCU\..\Run: [Weather] C:\PROGRA~1\AWS\WEATHE~1\Weather.exe 1
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197655950875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://www.ins-squad.com/LaunchGame.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482B60C4-66EE-4206-A2FA-9A205B705494}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{864AF381-8CDD-4C8C-BD74-523A5FE1B32B}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{F307CBDC-C5FF-4E1E-A2BE-D14ABDD580D4}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 8290 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20071214-142649-113 O4 - HKUS\S-1-5-18\..\Run: [Windows Rescue System] C:\WINDOWS\TEMP\winsto.exe (User 'SYSTEM')
backup-20071214-142649-144 R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20071214-142649-203 O4 - HKUS\S-1-5-18\..\Run: [default] C:\Documents and Settings\LocalService\scvhost.exe (User 'SYSTEM')
backup-20071214-142649-236 O4 - HKUS\S-1-5-18\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'SYSTEM')
backup-20071214-142649-401 O4 - HKUS\.DEFAULT\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
backup-20071214-142649-818 O4 - Startup: findfast.exe
backup-20071214-142649-841 O2 - BHO: (no name) - {68D23FC9-B16E-B486-7B44-0BB9D2141287} - C:\Program Files\Gzwolsgf\dtpjniqx.dll (file missing)
backup-20071214-142649-935 O4 - HKUS\S-1-5-18\..\Run: [main] C:\WINDOWS\System32\drivers\sysdrv.exe (User 'SYSTEM')
backup-20071214-142650-339 O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe (file missing)
backup-20071214-142650-816 O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

-- File Associations -----------------------------------------------------------

.txt - txtfile - shell\open\command - C:\WINDOWS\System32\drivers\sysdrv.exe %1


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ANIO (ANIO Service) - c:\windows\system32\anio.sys <Not Verified; Alpha Networks Inc.; ANIO (NT5) Driver>
R2 aslm75 - c:\windows\system32\drivers\aslm75.sys
R3 RadProbe (Radeon Probe Driver) - c:\windows\system32\drivers\radprobe.sys <Not Verified; ChrisW; RadProbe>

S3 catchme - c:\docume~1\admini~1\locals~1\temp\catchme.sys (file missing)
S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>
S3 SYMIDSCO - c:\progra~1\common~1\symant~1\symcdata\ids-di~1\20071212.001\symidsco.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 Microsoft Inet Service - c:\windows\system32\_svchost.exe -a (file missing)
S4 ANIWZCSdService (ANIWZCSd Service) - c:\program files\ani\aniwzcs2 service\aniwzcsds.exe (file missing)
S4 ATI Smart - c:\windows\system32\ati2sgag.exe (file missing)


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Files created between 2007-11-15 and 2007-12-15 -----------------------------

2007-12-15 09:18:41 60416 --a------ C:\WINDOWS\system32\drivers\ComboFix.sys
2007-12-15 08:13:52 126 --a------ C:\Documents and Settings\Administrator\c200.bat
2007-12-14 21:12:28 0 d-------- C:\WINDOWS\ERUNT
2007-12-14 14:19:41 0 d-------- C:\Program Files\Trend Micro
2007-12-13 16:50:08 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-13 16:49:44 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 21:07:21 25088 -r-hs---- C:\Program Files\lsass.exe <Not Verified; MskSoftStudy Corp.; Anti-Virus Project (AVP) spyware removal module>
2007-12-12 20:54:36 0 d-------- C:\WINDOWS\system32\dtijrgqh
2007-12-12 20:54:30 0 d-------- C:\WINDOWS\PerfInfo
2007-12-12 20:53:06 0 d-------- C:\Program Files\RichVideoCodec
2007-12-12 20:51:20 0 d-------- C:\Documents and Settings\LocalService\Application Data\Google
2007-12-12 20:51:17 0 dr------- C:\Documents and Settings\LocalService\Favorites
2007-12-12 20:50:48 10000 --a------ C:\WINDOWS\system32\Lfj95jg.dll
2007-12-12 20:50:48 10000 --a------ C:\WINDOWS\system32\Frjkfl4g.dll
2007-11-29 22:16:14 0 d-------- C:\Documents and Settings\All Users\Application Data\FunGames


-- Find3M Report ---------------------------------------------------------------

2007-12-15 09:13:12 0 d-------- C:\Program Files\Common Files\Symantec Shared
2007-12-15 09:12:05 0 d-------- C:\Program Files\Symantec
2007-12-15 09:08:15 0 d-------- C:\Program Files\Common Files
2007-12-13 17:43:03 0 d-------- C:\Program Files\Google
2007-12-13 16:50:49 0 d-------- C:\Program Files\Lavasoft
2007-12-13 16:50:48 0 d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-12-12 20:56:32 0 d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2007-12-12 17:49:28 0 d-------- C:\Documents and Settings\Administrator\Application Data\WeatherBug
2007-10-27 07:22:40 0 d-------- C:\Program Files\Java


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
2007-12-12 20:50 10000 --a------ C:\WINDOWS\system32\Lfj95jg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
2007-12-12 20:50 10000 --a------ C:\WINDOWS\system32\Frjkfl4g.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AtiPTA"="atiptaxx.exe" [2005-03-22 19:05 C:\WINDOWS\system32\atiptaxx.exe]
"D-Link Wireless G WDA-1320"="C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe" [2005-12-14 15:56]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 22:46]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-11-06 20:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"csrss"="C:\WINDOWS\system32\wbem\csrss.exe" [2007-12-14 11:51]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 02:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Weather"="C:\PROGRA~1\AWS\WEATHE~1\Weather.exe" [2006-04-07 14:02]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-23 17:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-09-23 20:09:32]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"= C:\WINDOWS\system32\Lfj95jg.dll [2007-12-12 20:50 10000]
"{B5AF0562-94F3-42BD-F434-2604812C797D}"= C:\WINDOWS\system32\Frjkfl4g.dll [2007-12-12 20:50 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{35B2861B-2B26-4691-9FF0-09083722C736}"= C:\WINDOWS\system32\RadExe.dll [2005-04-27 23:30 188416]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\partnershipreg]
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, wowfx.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"SideWinderTrayV4"=C:\PROGRA~1\MICROS~4\GAMECO~1\common\swtrayv4.exe
"CheckWinPerf"=C:\WINDOWS\system32\183aa.exe
"_"=c:\windows\system32\drivers\dcbcg.exe
"avp"=C:\WINDOWS\1197231476.exe
"SC2"=C:\Program Files\SecCenter\scprot4.exe
"csrss"=C:\WINDOWS\system32\wbem\csrss.exe




-- Hosts -----------------------------------------------------------------------

10.18.250.4 ad.doubleclick.net
10.18.250.4 ad.fastclick.net
10.18.250.4 ads.fastclick.net
10.18.250.4 ar.atwola.com
10.18.250.4 atdmt.com
10.18.250.4 avp.ch
10.18.250.4 avp.com
10.18.250.4 avp.ru
10.18.250.4 awaps.net
10.18.250.4 banner.fastclick.net

90 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2007-12-15 10:41:26 ------------



Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel® Pentium® 4 CPU 2.80GHz
CPU 1: Intel® Pentium® 4 CPU 2.80GHz
Percentage of Memory in Use: 29%
Physical Memory (total/avail): 1022.73 MiB / 718.13 MiB
Pagefile Memory (total/avail): 3028.41 MiB / 2817.65 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1938.55 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 74.53 GiB total, 50.01 GiB free.
D: is CDROM (CDFS)
E: is Fixed (FAT32) - 9.54 GiB total, 2.9 GiB free.
F: is CDROM (No Media)

\\.\PHYSICALDRIVE1 - WDC WD102AA - 9.55 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 9.54 GiB - E:

\\.\PHYSICALDRIVE0 - WDC WD800JB-00FMA0 - 74.53 GiB - 1 partition
\PARTITION0 (bootable) - Installable File System - 74.53 GiB - C:



-- Security Center -------------------------------------------------------------

AUOptions is disabled.
Windows Internal Firewall is enabled.


[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Administrator\Application Data
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=FAMILYCOMP
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
LOGONSERVER=\\FAMILYCOMP
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 3 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0303
ProgramFiles=C:\Program Files
PROMPT=$P$G
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=FAMILYCOMP
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINDOWS


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Installshield Installation Information\{08082022-2a50-4196-8196-a6f86d6e8f12}\QBReplace.exe {08082022-2a50-4196-8196-a6f86d6e8f12}#{01288593-26bb-4b3a-a04e-0a4ed28cc937}
--> MsiExec.exe /I{922907C8-B9A7-45A8-98B8-A2D3280756D2}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware 2007 --> MsiExec.exe /I{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Download Manager 2.2 (Remove Only) --> "C:\Program Files\Common Files\Adobe\ESD\uninst.exe"
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Adobe Photoshop CS --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EFB21DE7-8C19-4A88-BB28-A766E16493BC}\setup.exe" -l0x9
Adobe Reader 7.0.8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A70800000002}
Adobe® Photoshop® Album Starter Edition 3.0 --> MsiExec.exe /I{4BDFD2CE-6329-42E4-9801-9B3D1F10D79B}
ANIO Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{7B5CE976-C7A9-4E38-A7F3-6C8EF025DD8E}\Setup.exe"
ANIWZCS2 Service --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{4C590030-7469-453E-8589-D15DA9D03F52}\Setup.exe"
ASUS Probe V2.21.04 --> C:\WINDOWS\uninst.exe -f"C:\Program Files\ASUS\Probe\DeIsL1.isu" -c"C:\Program Files\ASUS\Probe\probunis.dll"
ATI Display Driver (Omega 2.6.25a) --> rundll32 C:\WINDOWS\system32\atiiiexx.dll,_InfEngUnInstallINFFile_RunDLL@16 -force_restart -flags:0x2010001 -inf_class:DISPLAY -clean
Avery DesignPro --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2CC982C0-7EAE-11D4-ACC3-0050568AD318}\Setup.exe" -uninst
CardRd81 --> MsiExec.exe /I{54C8FE84-89C4-40E8-976C-439EB0729BD6}
CCScore --> MsiExec.exe /I{B4B44FE7-41FF-4DAD-8C0A-E406DDA72992}
CoffeeCup Direct FTP --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\0701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EC90EAE9-0E03-44A1-BF36-0B670B8B8E19}\Setup.exe" -l0x9
CR2 --> MsiExec.exe /I{432C3720-37BF-4BD7-8E49-F38E090246D0}
ESSBrwr --> MsiExec.exe /I{643EAE81-920C-4931-9F0B-4B343B225CA6}
ESSCDBK --> MsiExec.exe /I{AE1FA02D-E6A4-4EA0-8E58-6483CAC016DD}
ESScore --> MsiExec.exe /I{9D8FEE90-0377-49A9-AEFB-525BDE549BA4}
ESSCT --> MsiExec.exe /I{8BB4B58A-A402-4DE8-8FCD-287E60B88DD8}
ESSEMAIL --> MsiExec.exe /I{FEDE2483-87B7-44C1-A5BB-D75AEB8B6340}
ESSgui --> MsiExec.exe /I{91517631-A9F3-4B7C-B482-43E0068FD55A}
ESShelp --> MsiExec.exe /I{87843A41-7808-4F2E-B13F-25C1E67CF2FD}
ESSini --> MsiExec.exe /I{8E92D746-CD9F-4B90-9668-42B74C14F765}
ESSPCD --> MsiExec.exe /I{14D4ED84-6A9A-45A0-96F6-1753768C3CB5}
ESSPDock --> MsiExec.exe /I{FCDB1C92-03C6-4C76-8625-371224256091}
ESSSONIC --> MsiExec.exe /I{4F677FC7-7AA8-412B-A957-F13CBE1C7331}
ESSTOOLS --> MsiExec.exe /I{8A502E38-29C9-49FA-BCFA-D727CA062589}
ESSTUTOR --> MsiExec.exe /I{CA60320D-6A16-49C8-A34F-84EEF4799567}
essvcpt --> MsiExec.exe /I{D1973749-F5E7-40EB-B528-F2B78685B9FF}
ESSvpaht --> MsiExec.exe /I{A5B3EB8A-4071-42F0-8E8E-7A8342AA8E69}
ESSvpot --> MsiExec.exe /I{48C82F7A-F100-4DAB-A310-8E18BF2159E1}
ffdshow (remove only) --> "C:\Program Files\ffdshow\uninstall.exe"
Google Earth --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3DE5E7D4-7B88-403C-A3FD-2017A8240C5B}\setup.exe" -l0x9 -removeonly
Google Toolbar for Internet Explorer --> MsiExec.exe /I{DBEA1034-5882-4A88-8033-81C4EF0CFA29}
Google Toolbar for Internet Explorer --> regsvr32 /u /s "c:\program files\google\googletoolbar1.dll"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
HLPIndex --> MsiExec.exe /I{38441BE7-79B0-42B8-8297-833704F949FE}
HLPPDOCK --> MsiExec.exe /I{154508C0-07C5-4659-A7A0-E49968750D21}
HLPSFO --> MsiExec.exe /I{8DD94CA3-BCD2-49C0-B537-F3B5D95FF0C8}
ICQ 4.1 --> C:\Program Files\ICQLite\ICQLiteUninstall.EXE
IsoBuster 1.7 --> "C:\Program Files\Smart Projects\IsoBuster\Uninst\unins000.exe"
J2SE Runtime Environment 5.0 Update 7 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150070}
Java 2 Runtime Environment, SE v1.4.2_05 --> MsiExec.exe /I{7148F0A8-6813-11D6-A77B-00B0D0142050}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
Java™ 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Jimmy Neutron vs. Jimmy Negatron --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\THQ\Jimmy Neutron\Jimmy Neutron vs. Jimmy Negatron\Uninst.isu"
Kodak EasyShare software --> C:\Documents and Settings\All Users\Application Data\Kodak\EasyShareSetup\$SETUP_a0005_462f0b99\Setup.exe /APR-REMOVE
KSU --> MsiExec.exe /I{B997C2A0-4383-41BF-B76E-9B8B7ECFB267}
LEGOLAND --> C:\WINDOWS\uninst.exe -f"C:\Program Files\LEGO Media\Games\LEGOLAND\DeIsL1.isu"
Logitech MouseWare 9.80 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{5809E7CF-4DCF-11D4-9875-00105ACE7734}\setup.exe" -l0x9 -l0009 UNINSTALL
Macromedia Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Magic Swf2Gif 1.33 --> "C:\Program Files\Magic Swf2Gif\unins000.exe"
Mastering QuickBooks 2007 Level 1 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\00\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F3FF4B88-8F1D-4C22-8EB8-D1FF21DEEB52}\Setup.exe" -l0x9
Matchbox® Emergency Patrol™ --> C:\WINDOWS\IsUninst.exe -f"C:\Program Files\Mattel Interactive\Matchbox\Matchbox Emergency Patrol\Uninst.isu"
Math Missions Grades K-2 --> C:\PROGRA~1\SCHOLA~1\MATHMI~1\UNWISE.EXE /U C:\PROGRA~1\SCHOLA~1\MATHMI~1\INSTALL.LOG
Microsoft Data Access Components KB870669 --> C:\WINDOWS\muninst.exe C:\WINDOWS\INF\KB870669.inf
Microsoft Office Live Image Uploader --> MsiExec.exe /I{E78DAA24-38F8-4D35-B732-B18ABA0424DF}
Microsoft Office XP Professional with FrontPage --> MsiExec.exe /I{90280409-6000-11D3-8CFE-0050048383C9}
Microsoft Windows Journal Viewer --> MsiExec.exe /X{43DCF766-6838-4F9A-8C91-D92DA586DFA7}
MSN Messenger 7.0 --> MsiExec.exe /I{ABEB838C-A1A7-4C5D-B7E1-8B4314600777}
MultiRes (remove only) --> C:\Program Files\MultiRes\uninstal.exe
NASCAR SimRacing --> C:\Program Files\EA SPORTS\NASCAR SimRacing\EAUninstall.exe
Notifier --> MsiExec.exe /I{0008546E-DF6E-4CC1-AFD0-2CB8E16C95A2}
NRA High Power Competition --> MsiExec.exe /I{52CF5B5D-FE13-429E-A8A2-69F9628000F5}
ODBC (Ver. 1.0.0.1) --> C:\GCMS\UNWISE.EXE C:\GCMS\INSTALL.LOG
OfotoXMI --> MsiExec.exe /I{B162D0A6-9A1D-4B7C-91A5-88FB48113C45}
OTtBP --> MsiExec.exe /I{F71760CD-0F8B-4DCC-B7B7-6B223CC3843C}
OTtBPSDK --> MsiExec.exe /I{3CA39B0C-BA85-4D42-AC0F-1FF5F60C3353}
Pronto 1.3.0-K --> C:\Program Files\Horizon Wimba\Pronto\uninst.exe
QuickBooks Pro Edition 2004 --> C:\Program Files\Installshield Installation Information\{2b02f822-a9b9-458c-80e5-3ea8c0de8471}\QBReplace.exe {2b02f822-a9b9-458c-80e5-3ea8c0de8471}#{2B02F82E-A9B9-458C-80E5-3EA8C0DE8471}
QuickTime --> C:\WINDOWS\unvise32qt.exe C:\WINDOWS\system32\QuickTime\Uninstall.log
Radeon Omega Drivers v2.6.25a Setup Files --> C:\WINDOWS\iun6002.exe "C:\Program Files\Radeon Omega Drivers\v2.6.25a\Omega.ini"
RadLinker --> MsiExec.exe /I{238ABEB6-42D2-4DD7-9928-DE8431519C61}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek RTL8139/810x Fast Ethernet NIC Driver Setup --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{97AA0C55-AFAD-4126-B21C-F1318FB6DADA}\Setup.exe" -l0x9 REMOVE
Rich Video Codec v1.6 --> C:\Program Files\RichVideoCodec\Uninstall.exe
Savings Bond Wizard --> C:\WINDOWS\unvise32.exe C:\Program Files\Savings Bond Wizard\uninstal.log
Scholastic's I SPY School Days --> C:\PROGRA~1\SCHOLA~1\ISPYSC~1\UNWISE.EXE C:\PROGRA~1\SCHOLA~1\ISPYSC~1\INSTALL.LOG
Scholastic's The Magic School Bus® Lands on Mars --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{3F5C4C80-1FA7-11D4-B333-E7021860665A}\setup.exe" MarsUninstall
SFR --> MsiExec.exe /I{DB02F716-6275-42E9-B8D2-83BA2BF5100B}
SHASTA --> MsiExec.exe /I{605A4E39-613C-4A12-B56F-DEFBE6757237}
SKIN0001 --> MsiExec.exe /I{FDF9943A-3D5C-46B3-9679-586BD237DDEE}
SKINXSDK --> MsiExec.exe /I{F4A2E7CC-60CA-4AFA-B67F-AD5E58173C3F}
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spy Masters Unmask the Prankster --> C:\Program Files\Common Files\Knowledge Adventure\SpyMastr1un.exe
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe"
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe"
Startup Cop --> C:\PROGRA~1\StartCop\UNWISE.EXE C:\PROGRA~1\StartCop\INSTALL.LOG
Stuart Little - His Adventures in Numberland --> C:\WINDOWS\IsUninst.exe -fC:\ThoughtMakers\StuartNumber\Uninst.isu
Stuart Little - His Adventures in Wordland --> C:\WINDOWS\IsUninst.exe -fC:\ThoughtMakers\StuartWord\Uninst.isu
SWiSHmax --> C:\WINDOWS\unvise32.exe C:\Program Files\SWiSHmax\uninstal.log
TurboTax Premier Investments 2006 --> C:\Program Files\TurboTax\Premier 2006\TaxUnst.EXE "C:\Program Files\TurboTax\Premier 2006\Uninstall.log" -NoGui
Vehicle Voyages --> C:\Program Files\IBM and Crayola\Vehicle Voyages\Uninstall.exe
Veo Connect --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{8026D160-0B5D-11D6-BC84-00D0B7E10CD1}\SETUP.EXE"
Veo Digital Studio --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{45AEEA61-04F8-11D6-8B35-0080C8F5C4AA}\setup.exe"
VPRINTOL --> MsiExec.exe /I{999D43F4-9709-4887-9B1A-83EBB15A8370}
WeatherBug --> C:\PROGRA~1\AWS\WEATHE~1\REMOVE.EXE C:\PROGRA~1\AWS\WEATHE~1\INSTALL.LOG
Windows XP Related --> Rundll32.exe C:\WINDOWS\lbbho.dll,Uninst
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WIRELESS --> MsiExec.exe /I{F9593CFB-D836-49BC-BFF1-0E669A411D9F}
Wireless G WDA-1320 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\10\INTEL3~1\IDriver.exe /M{D3815721-7859-40E2-846A-0C9461BDCD8D}
XingMPEG Player --> C:\PROGRA~1\Xing\XINGMP~1\UNINST.EXE C:\PROGRA~1\Xing\XINGMP~1\INSTALL.LOG
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG


-- Application Event Log -------------------------------------------------------

Event Record #/Type21264 / Error
Event Submitted/Written: 12/15/2007 09:09:54 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
errorInternet connection not detected.

Event Record #/Type21248 / Warning
Event Submitted/Written: 12/15/2007 09:07:34 AM
Event ID/Source: 1015 / MsiInstaller
Event Description:
Failed to connect to server. Error: 0x800401F0

Event Record #/Type21229 / Error
Event Submitted/Written: 12/15/2007 09:03:23 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
errorInternet connection not detected.

Event Record #/Type21215 / Error
Event Submitted/Written: 12/15/2007 08:55:49 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
errorInternet connection not detected.

Event Record #/Type21213 / Error
Event Submitted/Written: 12/15/2007 08:50:49 AM
Event ID/Source: 101 / Automatic LiveUpdate Scheduler
Event Description:
errorInternet connection not detected.



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type47867 / Error
Event Submitted/Written: 12/15/2007 09:18:34 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type47866 / Error
Event Submitted/Written: 12/15/2007 09:18:34 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.

Event Record #/Type47721 / Error
Event Submitted/Written: 12/15/2007 08:55:34 AM
Event ID/Source: 11 / PlugPlayManager
Event Description:
The device Root\LEGACY_SSLW65\0000 disappeared from the system without first being prepared for removal.

Event Record #/Type47720 / Error
Event Submitted/Written: 12/15/2007 08:55:33 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The combofix service failed to start due to the following error:
%%1053

Event Record #/Type47719 / Error
Event Submitted/Written: 12/15/2007 08:55:33 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the combofix service to connect.



-- End of Deckard's System Scanner: finished at 2007-12-15 10:41:26 ------------

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 December 2007 - 11:27 AM

Click Start/Control Panel/Add or Remove Programs and remove AWS/WeatherBug,then restart your pc.

Please download OTMoveIt by OldTimer,save it to your desktop:
http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\Program Files\lsass.exe
C:\WINDOWS\system32\dtijrgqh
C:\Program Files\RichVideoCodec
C:\WINDOWS\PerfInfo
C:\WINDOWS\system32\Lfj95jg.dll
C:\WINDOWS\system32\Frjkfl4g.dll

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.


Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: fix.reg to your desktop.
Then double click on the fix.reg file on your desktopPosted Imageand agree to merge the information into the registry,then restart your pc.

REGEDIT4
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AC49A2-94F2-42BD-F434-2604812C897D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B5AF0562-94F3-42BD-F434-2604812C797D}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"csrss"=-
"combofix"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{B5AC49A2-94F2-42BD-F434-2604812C897D}"=-
"{B5AF0562-94F3-42BD-F434-2604812C797D}"=-
[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CheckWinPerf"=-
"_"=-
"avp"=-
"SC2"=-
"csrss"=-


Also post a new Hijackthis log please.
Posted Image
Posted Image

#9 Infamous33

Infamous33
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 15 December 2007 - 12:02 PM

Done, here are the files...


C:\Program Files\lsass.exe moved successfully.
C:\WINDOWS\system32\dtijrgqh moved successfully.
C:\Program Files\RichVideoCodec moved successfully.
C:\WINDOWS\PerfInfo moved successfully.
C:\WINDOWS\system32\Lfj95jg.dll NOT unregistered.
C:\WINDOWS\system32\Lfj95jg.dll moved successfully.
C:\WINDOWS\system32\Frjkfl4g.dll NOT unregistered.
C:\WINDOWS\system32\Frjkfl4g.dll moved successfully.

Created on 12152007_115414


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:59, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\wbem\csrss.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: C:\WINDOWS\system32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll (file missing)
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197655950875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://www.ins-squad.com/LaunchGame.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{482B60C4-66EE-4206-A2FA-9A205B705494}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{864AF381-8CDD-4C8C-BD74-523A5FE1B32B}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{F307CBDC-C5FF-4E1E-A2BE-D14ABDD580D4}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Microsoft Inet Service - Unknown owner - C:\WINDOWS\system32\_svchost.exe (file missing)
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 7833 bytes

#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 December 2007 - 03:15 PM

Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'):
C:\WINDOWS\system32\wbem\csrss.exe
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button Posted Image
Copy everything on the 'Results' window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose 'Copy'), and paste it into your next reply.
Close OTMoveIt.
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process.
If you are asked to reboot the machine choose Yes.

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
Microsoft Inet Service
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
Microsoft Inet Service
Right click on it 'Delete'.
Then restart your pc.

Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O2 - BHO: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O2 - BHO: C:\WINDOWS\system32\Lfj95jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINDOWS\system32\Lfj95jg.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\Frjkfl4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll (file missing)
O3 - Toolbar: Nick Aracde Toolbar - {4E7BD74F-2B8D-469E-9EB4-FE6FA694B13E} - C:\PROGRA~1\NICKAR~1\NICKAR~1.DLL (file missing)
O4 - HKLM\..\Run: [csrss] C:\WINDOWS\system32\wbem\csrss.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{482B60C4-66EE-4206-A2FA-9A205B705494}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{864AF381-8CDD-4C8C-BD74-523A5FE1B32B}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\..\{F307CBDC-C5FF-4E1E-A2BE-D14ABDD580D4}: NameServer = 85.255.113.115,85.255.112.79
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.113.115 85.255.112.79
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll (file missing)


Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt,along with a new HijackThis log.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.
Posted Image
Posted Image

#11 Infamous33

Infamous33
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 15 December 2007 - 04:40 PM

OK, done. When I went into HJT to fix the items you specified, there were no 017 catagory items displayed.
Everything else went smoothly. Here are the files.

PS, any idea what I had?



Username "Administrator" - 2007-12-15 16:25:12 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.113.115 85.255.112.79" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{482B60C4-66EE-4206-A2FA-9A205B705494}
"nameserver"="85.255.113.115,85.255.112.79" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{864AF381-8CDD-4C8C-BD74-523A5FE1B32B}
"nameserver"="85.255.113.115,85.255.112.79" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F307CBDC-C5FF-4E1E-A2BE-D14ABDD580D4}
"nameserver"="85.255.113.115,85.255.112.79" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{1F5B651C-CA2C-4B7E-ABBD-19398AFBB295}
"DhcpNameServer"="85.255.113.115,85.255.112.79" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{864AF381-8CDD-4C8C-BD74-523A5FE1B32B}
"DhcpNameServer"="85.255.113.115,85.255.112.79" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces\{F307CBDC-C5FF-4E1E-A2BE-D14ABDD580D4}
"DhcpNameServer"="85.255.113.115,85.255.112.79" <Value cleared.

Successfully flushed the DNS Resolver Cache.


System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\run]
"AtiPTA"="atiptaxx.exe"
"D-Link Wireless G WDA-1320"="C:\\Program Files\\D-Link\\Wireless G WDA-1320\\AirGCFG.exe"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_03\\bin\\jusched.exe\""
"csrss"="C:\\WINDOWS\\system32\\wbem\\csrss.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\GoogleToolbarNotifier.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:31, on 2007-12-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197655950875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://www.ins-squad.com/LaunchGame.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6324 bytes

#12 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 15 December 2007 - 04:54 PM

It appears you've no virus protection installed,which you should have at all times.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,on the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#13 Infamous33

Infamous33
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:06:27 PM

Posted 18 December 2007 - 07:49 AM

Hi Richie,
sorry so long getting back to you, I came down with a bug of my own...
The computer seems to be flying now, no complaints from my wife or son !! I ran all the scans and retrieved all available windows updates.
Here are the logs you asked about,
Thanks again for everything, you guys do a wonderful job!! By the way, have you got any idea what we had?

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 12/15/2007 at 09:57 PM

Application Version : 3.9.1008

Core Rules Database Version : 3259
Trace Rules Database Version: 1270

Scan type : Complete Scan
Total Scan Time : 00:40:02

Memory items scanned : 332
Memory threats detected : 0
Registry items scanned : 5497
Registry threats detected : 0
File items scanned : 43334
File threats detected : 6

Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@enhance[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@clicks.smartbizsearch[2].txt
C:\Documents and Settings\Administrator\Cookies\administrator@www.stopzilla[2].txt

Malware.Ultimate Defender
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104243.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104245.EXE

Worm.Agobot-NV
C:\WINDOWS\SYSTEM32\REINSTALLBACKUPS\0001\DRIVERFILES\ATIPHEXX.EXE

AntiVir Log, it's a big one!! 260 files found.

AntiVir PersonalEdition Classic
Report file date: 2007-12-15 18:00

Scanning for 972845 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Username: SYSTEM
Computer name: FAMILYCOMP

Version information:
BUILD.DAT : 270 15603 Bytes 2007-09-19 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 2007-08-23 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 2007-08-16 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 2007-08-14 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 2007-08-21 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 2007-07-18 20:27:15
ANTIVIR1.VDF : 7.0.1.95 3367424 Bytes 2007-12-14 23:00:00
ANTIVIR2.VDF : 7.0.1.96 2048 Bytes 2007-12-14 23:00:00
ANTIVIR3.VDF : 7.0.1.98 4096 Bytes 2007-12-14 23:00:00
AVEWIN32.DLL : 7.6.0.45 3084800 Bytes 2007-12-15 23:00:01
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2007-02-26 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 2007-07-18 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 2007-04-16 19:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 2007-08-03 14:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 2007-07-18 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 2007-08-28 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 2007-07-18 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 2007-03-08 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 2007-08-07 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 2007-08-21 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 2007-07-23 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: E:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: 2007-12-15 18:00

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'iexplore.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'GoogleToolbarNotifier.exe' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'apdproxy.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'SMAgent.exe' - '1' Module(s) have been scanned
Scan process 'SNDSrvc.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'ati2evxx.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
30 processes with 30 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!
Boot sector 'E:\'
[NOTE] No virus was found!

Starting to scan the registry.
The registry was scanned ( '18' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Program Files\Trend Micro\HijackThis\backups\backup-20071214-142649-818-findfast.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47c7741a.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\printer.exe.vir
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47cd7493.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Application Data\trant.exe.vir
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47c57493.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\Administrator\Start Menu\Programs\Startup\findfast.exe.vir
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47d2748b.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\sjstkpgb.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47d7748c.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\vwhyjgje.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47cc7499.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\partnership.dll.vir
[DETECTION] Is the Trojan horse TR/Hijacker.Gen
[INFO] The file was moved to '47d67484.qua'!
C:\qoobox\Quarantine\C\Documents and Settings\All Users\Start Menu\Programs\Startup\autorun.exe.vir
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47d87498.qua'!
C:\qoobox\Quarantine\C\Program Files\ajqlgvaj\ejglizwv.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47cb748d.qua'!
C:\qoobox\Quarantine\C\Program Files\Helper\superdirectsearch.dll.vir
[DETECTION] Is the Trojan horse TR/BHO.adh.2
[INFO] The file was moved to '47d47498.qua'!
C:\qoobox\Quarantine\C\Program Files\onspermv\sxohkvml.dll.vir
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '47d3749c.qua'!
C:\qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '47d6748b.qua'!
C:\qoobox\Quarantine\C\WINDOWS\shell.exe.vir
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47c9748c.qua'!
C:\qoobox\Quarantine\C\WINDOWS\svchost.exe.vir
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '47c7749b.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\printer.exe.vir
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47cd7497.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\spoolvs.exe.vir
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47d37495.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\update228.exe.vir
[DETECTION] Is the Trojan horse TR/Hijacker.Gen
[INFO] The file was moved to '47c87495.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\update280.exe.vir
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was moved to '47c87496.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\NdisWon.sys.vir
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '47cd748a.qua'!
C:\qoobox\Quarantine\C\WINDOWS\system32\drivers\Sslw65.sys.vir
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '47d07499.qua'!
C:\SDFix\HOSTS
[DETECTION] Is the Trojan horse TR/Qhost.NL
[INFO] The file was moved to '47b77477.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP468\A0068365.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '4794745b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP492\A0071804.exe
[DETECTION] Contains detection pattern of the dropper DR/BHO.W.4
[INFO] The file was moved to '47947485.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP523\A0081694.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was moved to '479474e7.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094210.exe
[DETECTION] Is the Trojan horse TR/Proxy.Agent.TT
[INFO] The file was moved to '47947573.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094211.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.AAJM.2
[INFO] The file was moved to '46f37894.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094212.exe
[DETECTION] Is the Trojan horse TR/Agent.7680.95
[INFO] The file was moved to '47947575.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094214.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47947574.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094215.exe
[DETECTION] Is the Trojan horse TR/Delf.aon
[INFO] The file was moved to '46f37f8d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094217.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '47947576.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094218.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '46f37f8f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094228.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f37f8e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP537\A0094232.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '47947577.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104210.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795757b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104211.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f84.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104213.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795757c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104214.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f85.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104223.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795757d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104233.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795757e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104234.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f87.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104235.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957570.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104236.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f89.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104237.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795757f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104238.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f78.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104239.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957581.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104240.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957580.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104241.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f79.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104244.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957582.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104246.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46f27f7a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104247.sys
[DETECTION] Is the Trojan horse TR/Click.Costrat.BZ
[INFO] The file was moved to '47957583.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104401.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f7c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104402.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957585.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0104403.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957584.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0114212.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f7d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0114213.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957586.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0114214.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f7f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115212.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f7e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115213.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47957587.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115214.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f70.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115215.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47957589.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115216.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957578.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115217.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f81.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115220.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795757a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115230.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f72.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115245.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795758b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115246.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f74.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115247.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795758d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115248.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957588.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115249.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f71.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115250.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795758a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115251.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f73.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115252.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f76.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115253.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795758f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115254.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f68.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115255.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957591.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115256.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795758c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115257.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f75.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115258.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795758e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115259.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f6a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115260.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957593.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115261.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f6c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115262.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957595.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115263.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f77.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115264.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f7b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115265.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f83.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115266.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957572.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115267.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f6e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0115268.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957597.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116212.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f60.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116213.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47957599.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116214.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f8b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116215.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47957574.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116216.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f8d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116217.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957576.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116220.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f62.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116244.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795759b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116245.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f64.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116246.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957590.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116247.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f69.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116248.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957592.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116249.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f6b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116250.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795759d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116252.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f66.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116253.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '4795759f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116254.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f58.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116255.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957594.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116256.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f6d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116257.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957596.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116258.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479575a1.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116259.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f5a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116260.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '479575a3.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116261.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f5c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116262.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f6f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116263.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f8f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0116264.dll
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47957568.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117213.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f91.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117214.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575a5.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117215.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f5e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117216.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575a7.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117225.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '4795756a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117226.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f93.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117227.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '4795756c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117228.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f95.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117236.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f50.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117237.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575a9.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117238.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f52.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0117239.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '47957598.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0118236.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f61.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0118237.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '4795759a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0118238.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575ab.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0118239.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f54.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0119236.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575ad.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0119237.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f63.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0119238.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '4795759c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0119239.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f65.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0120237.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f56.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0120238.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575af.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0120239.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f48.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0120240.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575b1.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0121246.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '4795759e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0121247.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f67.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\A0121248.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f4a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-1.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975b4.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-10.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16535.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-11.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975b6.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-12.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975b5.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-13.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16536.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-14.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975b7.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-15.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16538.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-16.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16537.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-17.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975b8.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-18.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16539.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-19.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975ba.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-2.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975b9.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-20.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1653a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-21.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975bb.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-22.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1653b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-23.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975bc.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-24.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1653d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-25.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975be.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-26.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1653c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-27.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975bd.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-28.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1653e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-29.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975bf.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-3.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1653f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-30.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c0.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-31.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16541.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-32.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c2.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-33.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16540.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-34.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c1.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-35.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16542.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-36.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c3.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-37.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16543.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-38.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c4.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-39.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16545.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-4.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16544.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-40.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c5.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-41.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16546.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-42.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c7.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-43.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c6.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-44.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16547.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-45.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c8.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-46.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16549.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-47.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16548.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-48.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975c9.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-49.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1654a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-5.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975cb.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-50.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975ca.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-51.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1654b.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-52.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975cc.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-53.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1654d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-54.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1654c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-55.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975cd.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-56.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1654e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-57.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975cf.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-58.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975ce.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-59.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1654f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-6.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d0.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-60.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16551.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-61.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16550.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-62.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d1.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-63.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16552.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-64.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d3.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-65.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d2.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-66.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16553.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-67.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d4.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-68.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16554.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-69.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d5.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-7.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16556.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-70.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d7.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-71.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16555.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-72.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d6.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-73.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16557.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-74.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d8.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-75.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c16558.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-76.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '47a975d9.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP538\snapshot\MFEX-9.DAT
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46c1655a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121254.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575b2.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121255.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575b3.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121256.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '46f27f4c.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121257.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575b5.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121259.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46f27f4e.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121260.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575b4.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121264.exe
[DETECTION] Is the Trojan horse TR/Hijacker.Gen
[INFO] The file was moved to '46f27f4d.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121265.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[INFO] The file was moved to '479575b6.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121266.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '46f27f4f.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121267.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '479575b7.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121268.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '46f27f40.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121269.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '479575b9.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121271.dll
[DETECTION] Is the Trojan horse TR/BHO.adh.2
[INFO] The file was moved to '46f27f42.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121274.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '479575a8.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121275.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '46f27f51.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121276.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575aa.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0121277.sys
[DETECTION] Is the Trojan horse TR/Trash.Gen
[INFO] The file was moved to '479575bb.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122303.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Padodor.AX Backdoor server programs
[INFO] The file was moved to '479575b8.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122304.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '46f27f44.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122305.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '479575bd.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122306.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '46f27f46.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122307.dll
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Delf.BF Backdoor server programs
[INFO] The file was moved to '479575ba.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122308.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '46f27f43.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122309.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '479575bc.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122310.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '46f27f45.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122311.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '479575bf.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122312.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '46f27f38.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122313.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '479575c1.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122314.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '479575be.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122316.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '46f27f47.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122317.exe
[DETECTION] Is the Trojan horse TR/Pakes.01
[INFO] The file was moved to '479575b0.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122318.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Beastdoor.205.A Backdoor server programs
[INFO] The file was moved to '46f27f3a.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP539\A0122319.exe
[DETECTION] Contains a detection pattern of the (dangerous) backdoor program BDS/Beastdoor.205.A Backdoor server programs
[INFO] The file was moved to '479575c3.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP540\A0122636.sys
[DETECTION] Is the Trojan horse TR/Rootkit.Gen
[INFO] The file was moved to '479575ca.qua'!
C:\System Volume Information\_restore{0D418752-1AFD-4878-87C5-C7C634D345B6}\RP542\A0122714.exe
[DETECTION] Is the Trojan horse TR/Qhost.aaw.13
[INFO] The file was moved to '479575ce.qua'!
C:\WINDOWS\system32\kdaau.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '47c5782d.qua'!
C:\_OTMoveIt\MovedFiles\12152007_115414\Program Files\lsass.exe
[DETECTION] Is the Trojan horse TR/Delf.KH.12
[INFO] The file was moved to '47c57891.qua'!
C:\_OTMoveIt\MovedFiles\12152007_115414\Program Files\RichVideoCodec\RichVideoCodec.ocx
[DETECTION] Is the Trojan horse TR/NewMedial.Dll
[INFO] The file was moved to '47c77887.qua'!
C:\_OTMoveIt\MovedFiles\12152007_115414\Program Files\RichVideoCodec\Uninstall.exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.Zlob.AAGR
[INFO] The file was moved to '47cd788d.qua'!
C:\_OTMoveIt\MovedFiles\12152007_115414\WINDOWS\system32\Frjkfl4g.dll
[DETECTION] Is the Trojan horse TR/Dldr.Small.fyx.3
[INFO] The file was moved to '47ce7891.qua'!
C:\_OTMoveIt\MovedFiles\12152007_115414\WINDOWS\system32\Lfj95jg.dll
[DETECTION] Is the Trojan horse TR/Dldr.Small.hcm.1
[INFO] The file was moved to '47ce7885.qua'!
C:\_OTMoveIt\MovedFiles\12152007_161838\WINDOWS\system32\wbem\csrss.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[INFO] The file was moved to '47d67893.qua'!
Begin scan in 'E:\'


End of the scan: 2007-12-15 20:07
Used time: 2:06:11 min

The scan has been done completely.

6707 Scanning directories
371445 Files were scanned
257 viruses and/or unwanted programs were found
2 Files were classified as suspicious:
0 files were deleted
0 files were repaired
259 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
371188 Files not concerned
2143 Archives were scanned
1 Warnings
14 Notes


New HJT Log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 07:49, on 2007-12-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [D-Link Wireless G WDA-1320] C:\Program Files\D-Link\Wireless G WDA-1320\AirGCFG.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: ICQ 4.1 - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1A1F56AA-3401-46F9-B277-D57F3421F821} (FunGamesLoader Object) - http://gsn.worldwinner.com/games/v47/share...GamesLoader.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {47CD99DF-8BCF-4B9B-94EF-02E51B2F79DA} - http://www.alwaysupdatednews.com/install/aun_0036.exe
O16 - DPF: {615F158E-D5CA-422F-A8E7-F6A5EED7063B} (Bejeweled Control) - http://www.worldwinner.com/games/v46/bejeweled/bejeweled.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1197655950875
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {D3A7982E-915D-4589-8ECE-249F70D0C941} (Launch Control) - http://www.ins-squad.com/LaunchGame.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/games/web_...aploader_v6.cab
O16 - DPF: {FAE74270-E5EE-49C3-B816-EA8B4D55F38F} (H2hPool Control) - http://www.worldwinner.com/games/v53/h2hpool/h2hpool.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe

--
End of file - 6974 bytes

#14 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:27 AM

Posted 18 December 2007 - 08:34 AM

Your log is clean :thumbsup: ,please do the following:

Please double-click OTMoveIt.exe to run it.
Click on the 'Cleanup' button Posted Image
When you do this a text file named cleanup.txt will be downloaded from the internet.
If you get a warning from your firewall or other security programs regarding OTMoveIt attempting to contact the internet you should allow it to do so.
When the 'Confirm' box appears click 'Yes'.
Restart your pc when prompted.

Click on Start/All Programs/Accessories/System Tools/System Restore.
In the 'System Restore' window,click on the 'Create a Restore Point' button,then click 'Next'.
In the window that appears,enter a description\name for the Restore Point,then click on 'Create',wait,then click 'Close'.
The date and time will be created automatically.

Next click on Start/All Programs/Accessories/System Tools/Disk Cleanup.
The 'Select Drive' box will appear,click on Ok.
The 'Disk Cleanup for [C:]' box will appear,click on the 'More Options' tab.
At the bottom in the 'System Restore' window,click on the 'Clean up...' button.
A box will pop up 'Are you sure you want to delete all but the most recent restore point?',click on 'Yes'.
Click on 'Yes' at 'Are you sure you want to perform these actions?'.
Now wait until 'Disk Cleanup' finishes and the box disappears.

You should take the time to read and follow the information found in the links below,to help you prevent any possible future infections and stay safe and secure while online:

Simple and easy ways to keep your computer safe and secure on the Internet:
http://www.bleepingcomputer.com/tutorials/keep-your-computer-safe-online/

How to prevent Malware:
http://users.telenet.be/bluepatchy/miekiem...prevention.html

So how did I get infected in the first place:
http://forums.spybot.info/showthread.php?t=279

Malware Cleanup Programs and Preventative Procedures:
http://russelltexas.com/malware/allclear.htm
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users