Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Big Time Computer Troubles


  • Please log in to reply
9 replies to this topic

#1 The7thSon

The7thSon

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 09 January 2008 - 09:44 PM

To Whom This May Concern:

A co-worker recommended I post my HJT log here, because there are many reliable experts here in the field of malware removal. Sometimes I can't go on IE without getting popups or phony URLs every time I click on a google result. The URL is usually webelight, and I've read that this is spyware of some kind. As of right now, I'm getting this infernal dwwin that seems to be the cause of everything shutting down that I try to open. I've tried Ad-Aware, SuperAntiSpyware and Spybot, but none work. Also, I'm sure there are other things listed in the log that are the cause of messing up my PC. I trust your judgment and thank you for all of your help.

Here is my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:11 PM, on 09/01/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\_svchost.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\IE New Window Maximizer\iemaximizer .exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\dwwin.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell.ca/myway
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 0.0.0.0:80
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray.exe"
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\disabled-wzcsldr2.exe
O4 - HKLM\..\Run: [McRegWiz] C:\PROGRA~1\mcafee.com\agent\mcregwiz.exe /autorun
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Softany Monitor Control] C:\Program Files\Softany\Monitor Control\MonitorControl.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-21-4001477295-3029157332-3093314391-1006\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background (User '?')
O4 - HKUS\S-1-5-21-4001477295-3029157332-3093314391-1006\..\Run: [Softany Monitor Control] C:\Program Files\Softany\Monitor Control\MonitorControl.exe (User '?')
O4 - HKUS\S-1-5-21-4001477295-3029157332-3093314391-1006\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" (User '?')
O4 - HKUS\S-1-5-21-4001477295-3029157332-3093314391-1006\..\Run: [IE New Window Maximizer] C:\Program Files\IE New Window Maximizer\iemaximizer.exe (User '?')
O4 - HKUS\S-1-5-21-4001477295-3029157332-3093314391-1006\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User '?')
O4 - HKUS\S-1-5-21-4001477295-3029157332-3093314391-1006\..\Run: [Orb] "C:\Program Files\Winamp Remote\bin\OrbTray.exe" /background (User '?')
O4 - HKUS\S-1-5-21-4001477295-3029157332-3093314391-1006\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe (User '?')
O4 - HKUS\S-1-5-18\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User '?')
O4 - HKUS\.DEFAULT\..\Run: [kdfgj9odjkg904gffdftdf] C:\WINDOWS\TEMP\winlogan.exe (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{53A91E97-E883-4194-9FE5-812958189669}: NameServer = 85.255.116.53,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AB599FF-CD0D-45A1-A3B1-754AE22E3385}: NameServer = 85.255.116.53,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{A325420C-FCDE-4AAA-8221-1E5591DCDED2}: NameServer = 85.255.116.53,85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.53 85.255.112.7
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.53 85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.53 85.255.112.7
O20 - AppInit_DLLs: sysdiag.dll
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINDOWS\system32\Frjkfl4g.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\dlktrjli.exe (file missing)
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee SystemGuards (McSysmon) - Unknown owner - C:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe (file missing)
O23 - Service: Microsoft Inet Services - Unknown owner - C:\WINDOWS\system32\_svchost.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe

--
End of file - 9919 bytes

Edited by The7thSon, 09 January 2008 - 09:49 PM.


BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 11 January 2008 - 05:11 PM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum The7thSon
My name is Richie and i'll be helping you to fix your problems.

It appears you've no virus protection installed,which is somewhat suicidal.
Please download/install Avira AntiVir Personal Edition Classic[Free]:
http://www.free-av.com/
Perform a full scan with Avira and allow it to delete everything it detects.
Restart your pc when you've done.
After restart,open Avira Antivirus and select "Reports".
Then double click the report from the full scan you have just completed.
Click the "Report File" button,then copy and paste the report into your next reply.


Please download FixWareout:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it.
Click Next,then Install,then make sure "Run fixit" is checked and click Finish.
The fix will begin; follow the prompts.
You will be asked to reboot your computer; please do so.
Your system may take longer than usual to load,this is normal.

When your system reboots,follow the prompts.
Afterwards, HijackThis will launch,if it doesn't,launch it manually.
Please click Scan, and checkmark the following items:

O17 - HKLM\System\CCS\Services\Tcpip\..\{53A91E97-E883-4194-9FE5-812958189669}: NameServer = 85.255.116.53,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{5AB599FF-CD0D-45A1-A3B1-754AE22E3385}: NameServer = 85.255.116.53,85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\..\{A325420C-FCDE-4AAA-8221-1E5591DCDED2}: NameServer = 85.255.116.53,85.255.112.7
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.116.53 85.255.112.7
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 85.255.116.53 85.255.112.7
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.116.53 85.255.112.7


Click 'Fix Checked'.
Close HijackThis,and click OK to proceed.
At the end of the fix you may need to restart your computer again.

Finally, please post the contents of the logfile C:\fixwareout\report.txt.

Please Note:
Only do the following if you have connection problems after performing the above steps:
Go to Start>Control Panel,and choose 'Network Connections'.
Then right click on your default connection,usually 'Local Area Connection' or 'Dial-up Connection' if you are using Dial-up,then left click on 'Properties'.
Double-click on the 'Internet Protocol (TCP/IP)' item and select the radio button that says: 'Obtain DNS servers Automatically'.
Click OK twice,restart your computer.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix by sUBs and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Also post a new Hijackthis log please.
Posted Image
Posted Image

#3 The7thSon

The7thSon
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 14 January 2008 - 04:55 PM

Hello again,
this is my second reply, as requested.

First, I would like to point out that I have run all of these checks on a second version of WinXP because I could not open anything at all in my main one, and even the Taskmgr was denied when trying to run a program manually. Second, you mentioned potential internet connection problems arising, and I was wondering if downloading these programs (Combofix, Fixwareout) at unbearable speeds of less than 5kbps is a factor.

************************

AntiVir PersonalEdition Classic
Report file date: Sunday, January 13, 2008 20:39

Scanning for 835736 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (plain) [5.1.2600]
Username: SYSTEM
Computer name: SEVENTHSON

Version information:
BUILD.DAT : 270 15603 Bytes 9/19/2007 13:32:00
AVSCAN.EXE : 7.0.6.1 290856 Bytes 8/23/2007 19:16:29
AVSCAN.DLL : 7.0.6.0 49192 Bytes 8/16/2007 18:23:51
LUKE.DLL : 7.0.5.3 147496 Bytes 8/14/2007 21:32:47
LUKERES.DLL : 7.0.6.1 10280 Bytes 8/21/2007 18:35:20
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 20:27:15
ANTIVIR1.VDF : 7.0.0.0 1640448 Bytes 9/13/2007 20:26:55
ANTIVIR2.VDF : 7.0.0.1 2048 Bytes 9/13/2007 20:27:04
ANTIVIR3.VDF : 7.0.0.2 2048 Bytes 9/13/2007 20:27:13
AVEWIN32.DLL : 7.6.0.15 2806272 Bytes 9/17/2007 23:43:56
AVWINLL.DLL : 1.0.0.7 14376 Bytes 2/26/2007 16:36:26
AVPREF.DLL : 7.0.2.2 25640 Bytes 7/18/2007 13:39:17
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:16:24
AVPACK32.DLL : 7.3.0.15 360488 Bytes 8/3/2007 14:46:00
AVREG.DLL : 7.0.1.6 30760 Bytes 7/18/2007 13:17:06
AVARKT.DLL : 1.0.0.20 278568 Bytes 8/28/2007 18:26:33
AVEVTLOG.DLL : 7.0.0.20 86056 Bytes 7/18/2007 13:10:18
NETNT.DLL : 7.0.0.0 7720 Bytes 3/8/2007 17:09:42
RCIMAGE.DLL : 7.0.1.30 2342952 Bytes 8/7/2007 18:38:13
RCTEXT.DLL : 7.0.62.0 86056 Bytes 8/21/2007 18:50:37
SQLITE3.DLL : 3.3.17.1 339968 Bytes 7/23/2007 15:37:21

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, January 13, 2008 20:39

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'wuauclt.exe' - '1' Module(s) have been scanned
Scan process 'windwdl.exe' - '1' Module(s) have been scanned
Scan process 'WgaTray.exe' - '1' Module(s) have been scanned
Scan process '_svchost.exe' - '1' Module(s) have been scanned
Scan process 'msmsgs.exe' - '1' Module(s) have been scanned
Scan process 'wingquj.exe' - '1' Module(s) have been scanned
Scan process 'WZCSLDR2.exe' - '1' Module(s) have been scanned
Scan process 'AirGCFG.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'IEXPLORE.EXE' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
28 processes with 28 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.
C:\Documents and Settings\All Users.WINXP2\Documents\Settings\partnership.dll
[WARNING] The file could not be opened!
The registry was scanned ( '24' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\winavys.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\winbcvwla.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\windfcou.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\windlxfbg.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\windmund.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\winenpvqu.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\wingslu.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\winmdbyx.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\winptqxi.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\winqyfduf.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temp\winwtqdab.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Documents and Settings\Administrator.SEVENTHSON\Local Settings\Temporary Internet Files\Content.IE5\OPQRSTUV\CAT04JLP
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Documents and Settings\All Users.WINXP2\Documents\Settings\partnership.dll
[WARNING] The file could not be opened!
C:\WINXP2\fkwggshm.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was deleted!
C:\WINXP2\system32\2ad10f.exe
[DETECTION] Contains suspicious code HEUR/Malware
[WARNING] An error has occurred and the file was not deleted. ErrorID: 16003
[WARNING] The file could not be deleted!
C:\WINXP2\system32\3f847f.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47c2d5bf.qua'!
C:\WINXP2\system32\543530.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47bdd58e.qua'!
C:\WINXP2\system32\68deec.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '47eed592.qua'!
C:\WINXP2\system32\7d8caf.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46aee848.qua'!
C:\WINXP2\system32\egmulhxk.dll
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[WARNING] The file could not be deleted!
C:\WINXP2\Temp\100140.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winaagda.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\wineuje.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winfsbvar.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winfshs.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winheyv.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winhhsly.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winhjff.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winjfbaui.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winjtxbgl.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winlsjcpy.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winmrfnnx.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winnhymhk.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winpidn.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\wintkxxgx.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winucjtqf.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winusjv.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winuwwdew.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winvkqfq.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winxlobau.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\WINXP2\Temp\winxxax.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!


End of the scan: Sunday, January 13, 2008 22:25
Used time: 1:46:04 min

The scan has been done completely.

11909 Scanning directories
402410 Files were scanned
35 viruses and/or unwanted programs were found
5 Files were classified as suspicious:
34 files were deleted
0 files were repaired
4 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
402375 Files not concerned
3894 Archives were scanned
5 Warnings
2 Notes


Username "Administrator" - 01/14/2008 7:39:20 [Fixwareout edited 9/01/2007]

~~~~~ Prerun check

Successfully flushed the DNS Resolver Cache.
System was rebooted successfully.

~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
....
~~~~~ Misc files.
....
~~~~~ Checking for older varients.
....

~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"ANIWZCS2Service"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"IpSec"="C:\\WINXP2\\TEMP\\winogwah.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\QTTask.exe\" -atboottime"
"jkdfj94kgdftdf"="C:\\WINXP2\\TEMP\\winlogan.exe"
"PromoReg"="C:\\WINXP2\\System32\\alt.exe.exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"avgnt"="\"C:\\Program Files\\Avira\\AntiVir PersonalEdition Classic\\avgnt.exe\" /min"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"jkdfj94kgdftdf"="C:\\WINXP2\\TEMP\\winlogan.exe"
"svcroot"="C:\\WINXP2\\System32\\svcroot.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:48:28 AM, on 1/14/2008
Platform: Windows XP (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINXP2\System32\smss.exe
C:\WINXP2\system32\csrss.exe
C:\WINXP2\system32\winlogon.exe
C:\WINXP2\system32\services.exe
C:\WINXP2\system32\lsass.exe
C:\WINXP2\system32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINXP2\Explorer.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINXP2\System32\_svchost.exe
C:\WINXP2\System32\WgaTray.exe
C:\WINXP2\TEMP\winlacit.exe
C:\WINXP2\TEMP\winnrok.exe
C:\WINXP2\TEMP\winogwah.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP2\System32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Administrator.SEVENTHSON\Desktop\HiJackThis_v2.exe
C:\WINXP2\System32\wbem\wmiprvse.exe

F2 - REG:system.ini: Shell=Explorer.exe svcroot.exe
F2 - REG:system.ini: UserInit=C:\WINXP2\System32\lpcywinp.exe,C:\WINXP2\system32\userinit.exe,C:\WINXP2\System32\ntos.exe,
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {00000012-890e-4aac-afd9-eff6954a34dd} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {12F02779-6D88-4958-8AD3-83C12D86ADC7} - (no file)
O2 - BHO: (no name) - {1adbcce8-cf84-441e-9b38-afc7a19c06a4} - (no file)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINXP2\system32\egmulhxk.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - ronods.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {944864a5-3916-46e2-96a9-a2e84f3f1208} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: C:\WINXP2\System32\J8dj3jg.dll - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINXP2\System32\J8dj3jg.dll (file missing)
O2 - BHO: C:\WINXP2\System32\Hfkr4g.dll - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINXP2\System32\Hfkr4g.dll (file missing)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: Flash Module - {B9249083-6055-476c-A69D-13E110BFEA91} - tconn1.dll (file missing)
O2 - BHO: (no name) - {bb936323-19fa-4521-ba29-eca6a121bc78} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {c5af2622-8c75-4dfb-9693-23ab7686a456} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP2\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [IpSec] C:\WINXP2\TEMP\winogwah.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [jkdfj94kgdftdf] C:\WINXP2\TEMP\winlogan.exe
O4 - HKLM\..\Run: [PromoReg] C:\WINXP2\System32\alt.exe.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINXP2\TEMP\winlogan.exe
O4 - HKCU\..\Run: [svcroot] C:\WINXP2\System32\svcroot.exe
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINXP2\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINXP2\TEMP\winlogan.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINXP2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINXP2\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200147247206
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users.WINXP2\Documents\Settings\partnership.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINXP2\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINXP2\System32\browseui.dll
O22 - SharedTaskScheduler: sklfc94krteetj - {B5AC49A2-94F2-42BD-F434-2604812C897D} - C:\WINXP2\System32\J8dj3jg.dll (file missing)
O22 - SharedTaskScheduler: JGhsdk393ktrfggh9dtj - {B5AF0562-94F3-42BD-F434-2604812C797D} - C:\WINXP2\System32\Hfkr4g.dll (file missing)
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINXP2\System32\CcEvtSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Int Service - Unknown owner - C:\WINXP2\System32\_svchost.exe

--
End of file - 6619 bytes

ComboFix 08-01-09.2 - Administrator 2008-01-14 8:04:22.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.343 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.SEVENTHSON\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator.SEVENTHSON\~tmp1174.exe
C:\Documents and Settings\All Users.WINXP2.\documents\settings\config.ini
C:\Documents and Settings\All Users.WINXP2.\documents\settings\partnership.dll
C:\Program Files\3721
C:\Program Files\3721\assist\asbar.dll
C:\Program Files\3721\helper.dll
C:\Program Files\Accoona
C:\Program Files\Accoona\ASearchAssist.dll
C:\Program Files\akl
C:\Program Files\akl\akl.dll
C:\Program Files\akl\akl.exe
C:\Program Files\akl\curlog.htm
C:\Program Files\akl\keylog.txt
C:\Program Files\akl\readme.txt
C:\Program Files\akl\uninstall.exe
C:\Program Files\akl\unsetup.dat
C:\Program Files\akl\unsetup.exe
C:\Program Files\amsys
C:\Program Files\amsys\awmsg.dat
C:\Program Files\amsys\guid.dat
C:\Program Files\amsys\ijl15.dll
C:\Program Files\amsys\mfc42.dll
C:\Program Files\amsys\msvcrt.dll
C:\Program Files\amsys\unins000.dat
C:\Program Files\amsys\unis000.exe
C:\Program Files\amsys\winam.dat
C:\Program Files\e-zshopper
C:\Program Files\e-zshopper\BarLcher.dll
C:\Program Files\eliteprotector
C:\Program Files\Helper
C:\Program Files\p2pnetworks
C:\Program Files\p2pnetworks\amp2pl.exe
C:\Program Files\SecCenter
C:\WINXP2\764.exe
C:\WINXP2\7search.dll
C:\WINXP2\absolute key logger.lnk
C:\WINXP2\aconti.exe
C:\WINXP2\aconti.ini
C:\WINXP2\aconti.log
C:\WINXP2\aconti.sdb
C:\WINXP2\acontidialer.txt
C:\WINXP2\adbar.dll
C:\WINXP2\cbinst$.exe
C:\WINXP2\daxtime.dll
C:\WINXP2\default.htm
C:\WINXP2\dp0.dll
C:\WINXP2\eventlowg.dll
C:\WINXP2\fhfmm-Uninstaller.exe
C:\WINXP2\fhfmm.exe
C:\WINXP2\flt.dll
C:\WINXP2\hcwprn.exe
C:\WINXP2\hotporn.exe
C:\WINXP2\ie_32.exe
C:\WINXP2\iexplorr23.dll
C:\WINXP2\jd2002.dll
C:\WINXP2\kkcomp$.exe
C:\WINXP2\kkcomp.dll
C:\WINXP2\kkcomp.exe
C:\WINXP2\kvnab$.exe
C:\WINXP2\kvnab.dll
C:\WINXP2\kvnab.exe
C:\WINXP2\liqad$.exe
C:\WINXP2\liqad.dll
C:\WINXP2\liqad.exe
C:\WINXP2\liqui-Uninstaller.exe
C:\WINXP2\liqui.dll
C:\WINXP2\liqui.exe
C:\WINXP2\ngd.dll
C:\WINXP2\pbar.dll
C:\WINXP2\pbsysie.dll
C:\WINXP2\settn.dll
C:\WINXP2\spredirect.dll
C:\WINXP2\system32\_svchost.exe
C:\WINXP2\system32\~.exe
C:\WINXP2\system32\109d7d8.exe
C:\WINXP2\system32\10f9b.exe
C:\WINXP2\system32\112361e.exe
C:\WINXP2\system32\11eb99c.exe
C:\WINXP2\system32\126e46e.exe
C:\WINXP2\system32\133d953.exe
C:\WINXP2\system32\13ab2.exe
C:\WINXP2\system32\13b8c65.exe
C:\WINXP2\system32\14486.exe
C:\WINXP2\system32\148887e.exe
C:\WINXP2\system32\150412d.exe
C:\WINXP2\system32\1532c.exe
C:\WINXP2\system32\15a7c3.exe
C:\WINXP2\system32\15d42f3.exe
C:\WINXP2\system32\15ecda.exe
C:\WINXP2\system32\161041.exe
C:\WINXP2\system32\161283.exe
C:\WINXP2\system32\162a70.exe
C:\WINXP2\system32\163983.exe
C:\WINXP2\system32\16414.exe
C:\WINXP2\system32\1658cd6.exe
C:\WINXP2\system32\16ba3c.exe
C:\WINXP2\system32\1726c.exe
C:\WINXP2\system32\1728758.exe
C:\WINXP2\system32\17961.exe
C:\WINXP2\system32\17c728.exe
C:\WINXP2\system32\18529.exe
C:\WINXP2\system32\1876dfe.exe
C:\WINXP2\system32\18f0366.exe
C:\WINXP2\system32\19c4ed7.exe
C:\WINXP2\system32\1a3acc4.exe
C:\WINXP2\system32\1b179e8.exe
C:\WINXP2\system32\1b85f1b.exe
C:\WINXP2\system32\1c65af1.exe
C:\WINXP2\system32\1cd09b2.exe
C:\WINXP2\system32\1db4000.exe
C:\WINXP2\system32\1efef3a.exe
C:\WINXP2\system32\21fdf52.exe
C:\WINXP2\system32\25faa.exe
C:\WINXP2\system32\2a7bfa.exe
C:\WINXP2\system32\2a95db.exe
C:\WINXP2\system32\2adf38.exe
C:\WINXP2\system32\2ae9e6.exe
C:\WINXP2\system32\2be3c7.exe
C:\WINXP2\system32\2ca496.exe
C:\WINXP2\system32\31a01.exe
C:\WINXP2\system32\3f9018.exe
C:\WINXP2\system32\3fd389.exe
C:\WINXP2\system32\40ca9b.exe
C:\WINXP2\system32\5439d4.exe
C:\WINXP2\system32\5494d5.exe
C:\WINXP2\system32\55a6c2.exe
C:\WINXP2\system32\56bb10.exe
C:\WINXP2\system32\61c1f0.exe
C:\WINXP2\system32\68e787.exe
C:\WINXP2\system32\6b0259.exe
C:\WINXP2\system32\6b6326.exe
C:\WINXP2\system32\76f639.exe
C:\WINXP2\system32\7d9e24.exe
C:\WINXP2\system32\7fc308.exe
C:\WINXP2\system32\800ba9.exe
C:\WINXP2\system32\8bf885.exe
C:\WINXP2\system32\94c43a.exe
C:\WINXP2\system32\a0b8f5.exe
C:\WINXP2\system32\a98900.exe
C:\WINXP2\system32\ace16win.dll
C:\WINXP2\system32\acespy
C:\WINXP2\system32\acespy\__acelog.ndx
C:\WINXP2\system32\acespy\systune.exe
C:\WINXP2\system32\b5e8f8.exe
C:\WINXP2\system32\be5e02.exe
C:\WINXP2\system32\cb13ea.exe
C:\WINXP2\system32\conf.dat
C:\WINXP2\system32\d35dec.exe
C:\WINXP2\system32\dd7f.exe
C:\WINXP2\system32\dfe68a.exe
C:\WINXP2\system32\din.ip
C:\WINXP2\system32\dpqaqlqx.bin
C:\WINXP2\system32\drivers\blank.gif
C:\WINXP2\system32\drivers\box_2.gif
C:\WINXP2\system32\drivers\button_buynow.gif
C:\WINXP2\system32\drivers\button_freescan.gif
C:\WINXP2\system32\drivers\cell_bg.gif
C:\WINXP2\system32\drivers\cell_footer.gif
C:\WINXP2\system32\drivers\cell_header_block.gif
C:\WINXP2\system32\drivers\cell_header_remove.gif
C:\WINXP2\system32\drivers\cell_header_scan.gif
C:\WINXP2\system32\drivers\detect.htm
C:\WINXP2\system32\drivers\download_btn.jpg
C:\WINXP2\system32\drivers\download_now_btn.gif
C:\WINXP2\system32\drivers\footer_back.jpg
C:\WINXP2\system32\drivers\header_1.gif
C:\WINXP2\system32\drivers\header_2.gif
C:\WINXP2\system32\drivers\header_3.gif
C:\WINXP2\system32\drivers\header_4.gif
C:\WINXP2\system32\drivers\header_red_bg.gif
C:\WINXP2\system32\drivers\header_red_free_scan.gif
C:\WINXP2\system32\drivers\header_red_free_scan_bg.gif
C:\WINXP2\system32\drivers\header_red_protect_your_pc.gif
C:\WINXP2\system32\drivers\infected.gif
C:\WINXP2\system32\drivers\KGTJ56.sys
C:\WINXP2\system32\drivers\main_back.gif
C:\WINXP2\system32\drivers\product_2_header.gif
C:\WINXP2\system32\drivers\product_2_name_small.gif
C:\WINXP2\system32\drivers\product_features.gif
C:\WINXP2\system32\drivers\pt.htm
C:\WINXP2\system32\drivers\rating.gif
C:\WINXP2\system32\drivers\s_detect.htm
C:\WINXP2\system32\drivers\screenshot.jpg
C:\WINXP2\system32\drivers\sep_hor.gif
C:\WINXP2\system32\drivers\sep_vert.gif
C:\WINXP2\system32\drivers\shadow.jpg
C:\WINXP2\system32\drivers\shadow_bg.gif
C:\WINXP2\system32\drivers\spacer.gif
C:\WINXP2\system32\drivers\star.gif
C:\WINXP2\system32\drivers\star_gray.gif
C:\WINXP2\system32\drivers\star_gray_small.gif
C:\WINXP2\system32\drivers\star_small.gif
C:\WINXP2\system32\drivers\style.css
C:\WINXP2\system32\drivers\symavc32.sys
C:\WINXP2\system32\drivers\v.gif
C:\WINXP2\system32\drivers\warning_icon.gif
C:\WINXP2\system32\drivers\win_logo.gif
C:\WINXP2\system32\drivers\x.gif
C:\WINXP2\system32\e83d10.exe
C:\WINXP2\system32\ESHOPEE.exe
C:\WINXP2\system32\f0e7.exe
C:\WINXP2\system32\f4dabd.exe
C:\WINXP2\system32\fd6d9f.exe
C:\WINXP2\system32\fd8435.exe
C:\WINXP2\system32\kr_done1
C:\WINXP2\system32\lt.res
C:\WINXP2\system32\msole32.exe
C:\WINXP2\system32\stfv.bin
C:\WINXP2\system32\svcp.csv
C:\WINXP2\system32\sznf.ascii
C:\WINXP2\system32\vxddsk.exe
C:\WINXP2\system32\winsub.xml
C:\WINXP2\system32\wml.exe
C:\WINXP2\system32\wsock3.dll
C:\WINXP2\vxddsk.exe
C:\WINXP2\wbeCheck.exe
C:\WINXP2\wbeInst$.exe
C:\WINXP2\wml.exe
C:\WINXP2\xadbrk.dll
C:\WINXP2\xadbrk.exe
C:\WINXP2\xadbrk_.exe
C:\WINXP2\xxxvideo.exe
C:\Documents and Settings\All Users.WINXP2.\documents\settings

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_KGTJ56
-------\NdisWon


((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
.

2008-01-14 08:11 . 2008-01-14 08:11 81,920 --a------ C:\WINXP2\system32\io532031.dll
2008-01-14 08:11 . 2008-01-14 08:11 44,686 --ah----- C:\WINXP2\system32\io532031.dl_
2008-01-14 08:02 . 2000-08-31 08:00 51,200 --a------ C:\WINXP2\NirCmd.exe
2008-01-14 07:42 . 2008-01-14 07:42 27,648 --a------ C:\WINXP2\system32\25c3f.exe
2008-01-14 07:40 . 2008-01-14 08:13 81,920 --a------ C:\WINXP2\system32\ho532031.dll
2008-01-14 07:40 . 2008-01-14 08:13 44,686 --ah----- C:\WINXP2\system32\ho532031.dl_
2008-01-14 07:37 . 2008-01-14 07:37 27,648 --a------ C:\WINXP2\system32\ce2d.exe
2008-01-14 07:29 . 2008-01-14 07:29 27,648 --a------ C:\WINXP2\system32\1efe632.exe
2008-01-14 05:57 . 2008-01-14 05:57 27,648 --a------ C:\WINXP2\system32\19c16df.exe
2008-01-14 05:34 . 2008-01-14 05:34 27,648 --a------ C:\WINXP2\system32\1873d88.exe
2008-01-14 05:11 . 2008-01-14 05:12 27,648 --a------ C:\WINXP2\system32\171e7ec.exe
2008-01-14 04:48 . 2008-01-14 04:48 27,648 --a------ C:\WINXP2\system32\15d2d86.exe
2008-01-14 04:26 . 2008-01-14 04:26 27,648 --a------ C:\WINXP2\system32\1487e6b.exe
2008-01-14 04:03 . 2008-01-14 04:03 27,648 --a------ C:\WINXP2\system32\13364ee.exe
2008-01-14 03:40 . 2008-01-14 03:40 27,648 --a------ C:\WINXP2\system32\11e850f.exe
2008-01-14 03:17 . 2008-01-14 03:17 27,648 --a------ C:\WINXP2\system32\109815c.exe
2008-01-13 23:14 . 2008-01-14 00:14 5,120 --a------ C:\WINXP2\system32\2ac0e2.exe
2008-01-13 20:35 . 2008-01-13 20:35 81,920 --a------ C:\WINXP2\system32\un532031.dll
2008-01-13 20:35 . 2008-01-13 20:35 44,686 --ah----- C:\WINXP2\system32\un532031.dl_
2008-01-13 19:55 . 2008-01-14 07:48 81,920 --a------ C:\WINXP2\system32\tn532031.dll
2008-01-13 19:55 . 2008-01-14 07:55 44,686 --ah----- C:\WINXP2\system32\tn532031.dl_
2008-01-13 10:02 . 2008-01-13 10:02 0 --a------ C:\WINXP2\system32\MI6.tmp
2008-01-13 10:02 . 2008-01-13 10:02 0 --a------ C:\WINXP2\system32\MI4.tmp
2008-01-13 10:01 . 2008-01-13 10:01 61,952 --a------ C:\winykgd.exe
2008-01-13 03:23 . 2008-01-13 09:07 25,600 --a------ C:\WINXP2\system32\ronods.dll
2008-01-13 03:23 . 2008-01-13 03:45 25,600 --a------ C:\WINXP2\system32\judgemq.dll
2008-01-13 03:22 . 2008-01-13 03:22 <DIR> d-------- C:\Program Files\Avira
2008-01-13 03:21 . 2008-01-14 08:13 81,920 --a------ C:\WINXP2\system32\vk986255.dll
2008-01-13 03:21 . 2008-01-14 08:13 81,920 --a------ C:\WINXP2\system32\lm532031.dll
2008-01-13 03:21 . 2008-01-14 08:13 81,920 --a------ C:\WINXP2\system32\jm532031.dll
2008-01-13 03:21 . 2008-01-14 08:13 44,686 --ah----- C:\WINXP2\system32\vk986255.dl_
2008-01-13 03:21 . 2008-01-14 08:13 44,686 --ah----- C:\WINXP2\system32\lm532031.dl_
2008-01-13 03:21 . 2008-01-14 08:13 44,686 --ah----- C:\WINXP2\system32\jm532031.dl_
2008-01-13 03:21 . 2008-01-14 08:13 5,077 --a------ C:\WINXP2\system32\drivers\lfhnen.sys
2008-01-12 20:29 . 2008-01-13 03:22 <DIR> d-------- C:\Documents and Settings\All Users.WINXP2\Application Data\Avira
2008-01-12 19:27 . 2008-01-12 19:27 13,312 --a------ C:\WINXP2\system32\20b28d5.exe
2008-01-12 19:04 . 2008-01-12 19:04 13,312 --a------ C:\WINXP2\system32\1f663b1.exe
2008-01-12 18:42 . 2008-01-12 18:42 7,680 --a------ C:\WINXP2\system32\1e1b736.exe
2008-01-12 16:49 . 2008-01-12 16:49 7,680 --a------ C:\WINXP2\system32\17a4ebd.exe
2008-01-12 12:07 . 2008-01-12 12:07 61,952 --a------ C:\winnicb.exe
2008-01-12 12:07 . 2008-01-12 12:07 0 --a------ C:\WINXP2\system32\MI31.tmp
2008-01-12 12:07 . 2008-01-12 12:07 0 --a------ C:\WINXP2\system32\MI2F.tmp
2008-01-12 11:47 . 2008-01-12 11:47 61,952 --a------ C:\winidpn.exe
2008-01-12 11:47 . 2008-01-12 11:47 0 --a------ C:\WINXP2\system32\MI2B.tmp
2008-01-12 11:35 . 2008-01-12 11:35 61,952 --a------ C:\winafhi.exe
2008-01-12 11:35 . 2008-01-12 11:35 0 --a------ C:\WINXP2\system32\MI29.tmp
2008-01-12 11:35 . 2008-01-12 11:35 0 --a------ C:\WINXP2\system32\MI27.tmp
2008-01-12 11:22 . 2008-01-12 11:22 61,952 --a------ C:\winpycy.exe
2008-01-12 11:22 . 2008-01-12 11:22 0 --a------ C:\WINXP2\system32\MI23.tmp
2008-01-12 11:11 . 2008-01-12 11:11 61,952 --a------ C:\winmiwc.exe
2008-01-12 11:11 . 2008-01-12 11:11 0 --a------ C:\WINXP2\system32\MI21.tmp
2008-01-12 11:11 . 2008-01-12 11:11 0 --a------ C:\WINXP2\system32\MI1F.tmp
2008-01-12 10:57 . 2008-01-12 10:57 61,952 --a------ C:\winhdza.exe
2008-01-12 10:57 . 2008-01-12 10:57 0 --a------ C:\WINXP2\system32\MI1D.tmp
2008-01-12 10:57 . 2008-01-12 10:57 0 --a------ C:\WINXP2\system32\MI1B.tmp
2008-01-12 10:45 . 2008-01-12 10:45 61,952 --a------ C:\wingxvx.exe
2008-01-12 10:45 . 2008-01-12 10:45 0 --a------ C:\WINXP2\system32\MI19.tmp
2008-01-12 10:45 . 2008-01-12 10:45 0 --a------ C:\WINXP2\system32\MI17.tmp
2008-01-12 10:38 . 2008-01-14 08:13 <DIR> d--hs---- C:\WINXP2\system32\wsnpoem
2008-01-12 10:32 . 2008-01-12 10:32 61,952 --a------ C:\winlkss.exe
2008-01-12 10:32 . 2008-01-12 10:32 0 --a------ C:\WINXP2\system32\MI13.tmp
2008-01-12 10:32 . 2008-01-12 10:32 0 --a------ C:\WINXP2\system32\MI11.tmp
2008-01-12 10:19 . 2008-01-12 10:19 61,952 --a------ C:\winymtl.exe
2008-01-12 10:19 . 2008-01-12 10:19 0 --a------ C:\WINXP2\system32\MID.tmp
2008-01-12 10:19 . 2008-01-12 10:19 0 --a------ C:\WINXP2\system32\MIB.tmp
2008-01-12 10:08 . 2008-01-12 10:08 63,488 --a------ C:\Documents and Settings\Administrator.SEVENTHSON\ie_updates3r.exe
2008-01-12 10:08 . 2008-01-14 08:09 283 --a------ C:\WINXP2\system32\svchost.tmp
2008-01-12 10:08 . 2008-01-12 18:11 36 --a------ C:\WINXP2\system32\svchost.t__
2008-01-12 10:07 . 2008-01-12 10:07 29 --a------ C:\WINXP2\system32\fdueiudo.tmp
2008-01-12 10:06 . 2008-01-12 10:06 61,952 --a------ C:\winpbmv.exe
2008-01-12 10:06 . 2008-01-12 10:06 0 --a------ C:\WINXP2\system32\MI2.tmp
2008-01-12 10:02 . 2008-01-12 10:02 <DIR> d-------- C:\Documents and Settings\All Users.WINXP2\Application Data\AntiVir PersonalEdition Classic
2008-01-12 09:38 . 2008-01-12 09:38 <DIR> d-------- C:\Documents and Settings\Administrator.SEVENTHSON\Application Data\Apple Computer
2008-01-12 09:38 . 2008-01-12 09:38 54,156 --ah----- C:\WINXP2\QTFont.qfn
2008-01-12 09:38 . 2008-01-12 09:38 1,409 --a------ C:\WINXP2\QTFont.for
2008-01-12 09:37 . 2008-01-12 09:37 <DIR> d-------- C:\Documents and Settings\All Users.WINXP2\Application Data\Apple Computer
2008-01-12 09:37 . 2008-01-12 09:37 <DIR> d-------- C:\Documents and Settings\All Users.WINXP2\Application Data\Apple
2008-01-12 09:24 . 2002-11-14 14:42 218,624 --a------ C:\WINXP2\system32\srrstr.dll
2008-01-12 09:24 . 2002-11-14 14:42 218,624 --a--c--- C:\WINXP2\system32\dllcache\srrstr.dll
2008-01-12 09:22 . 2008-01-12 09:28 <DIR> d--h-c--- C:\WINXP2\$xpsp1hfm$
2008-01-12 09:22 . 2004-01-10 00:11 26,112 --a------ C:\WINXP2\system32\xpsp1hfm.exe
2008-01-12 09:21 . 2008-01-13 04:03 4 --a------ C:\WINXP2\system32\jpewocmz.ini
2008-01-12 09:20 . 2008-01-12 09:20 39,936 --a------ C:\WINXP2\system32\winresponse32.exe
2008-01-12 09:20 . 2008-01-13 09:55 5,591 --a------ C:\WINXP2\system32\sft.res
2008-01-12 09:17 . 2008-01-12 09:17 <DIR> d-------- C:\WINXP2\system32\bits
2008-01-12 09:16 . 2004-07-01 17:08 361,984 --a--c--- C:\WINXP2\system32\dllcache\qmgr.dll
2008-01-12 09:16 . 2004-07-01 17:08 331,776 --a------ C:\WINXP2\system32\winhttp.dll
2008-01-12 09:16 . 2004-06-30 18:59 158,720 --------- C:\WINXP2\system32\xpob2res.dll
2008-01-12 09:16 . 2004-07-01 17:08 17,408 --a------ C:\WINXP2\system32\qmgrprxy.dll
2008-01-12 09:16 . 2004-07-01 17:08 17,408 --a--c--- C:\WINXP2\system32\dllcache\qmgrprxy.dll
2008-01-12 09:16 . 2004-07-01 17:08 7,680 -----c--- C:\WINXP2\system32\dllcache\bitsprx2.dll
2008-01-12 09:16 . 2004-07-01 17:08 7,680 --------- C:\WINXP2\system32\bitsprx2.dll
2008-01-12 09:16 . 2004-07-01 17:08 7,168 -----c--- C:\WINXP2\system32\dllcache\bitsprx3.dll
2008-01-12 09:16 . 2004-07-01 17:08 7,168 --------- C:\WINXP2\system32\bitsprx3.dll
2008-01-12 09:14 . 2008-01-12 09:14 <DIR> d---s---- C:\Documents and Settings\Administrator.SEVENTHSON\UserData
2008-01-12 09:14 . 2007-07-30 19:19 549,720 --a------ C:\WINXP2\system32\wuapi.dll
2008-01-12 09:14 . 2007-07-30 19:19 325,976 --a------ C:\WINXP2\system32\wucltui.dll
2008-01-12 09:14 . 2007-07-30 19:19 216,408 --a------ C:\WINXP2\system32\wuaucpl.cpl
2008-01-12 09:14 . 2007-07-30 19:19 43,352 --a------ C:\WINXP2\system32\wups2.dll
2008-01-12 09:14 . 2007-07-30 19:18 34,136 --a------ C:\WINXP2\system32\wucltui.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-13 00:19 --------- d-----w C:\Program Files\QuickTime
2008-01-13 00:19 --------- d-----w C:\Program Files\PowerISO
2008-01-13 00:14 --------- d-----w C:\Program Files\IE New Window Maximizer
2008-01-12 23:55 --------- d-----w C:\Program Files\AIM
2008-01-11 23:59 --------- d-----w C:\Program Files\MSN Messenger
2008-01-11 23:42 --------- d-----w C:\Program Files\iTunes
2008-01-09 06:56 --------- d-----w C:\Program Files\BOOTLEG
2008-01-08 04:27 --------- d-----w C:\Program Files\Winamp
2008-01-05 15:12 --------- d-----w C:\Program Files\Ztbylosi
2008-01-05 15:12 --------- d-----w C:\Program Files\vibgjefc
2008-01-05 15:12 --------- d-----w C:\Program Files\urgzmdyx
2008-01-05 15:12 --------- d-----w C:\Program Files\Sazlbkbu
2008-01-05 15:12 --------- d-----w C:\Program Files\gfstcdip
2008-01-05 15:12 --------- d-----w C:\Program Files\efwrwdqx
2008-01-04 06:49 --------- d-----w C:\Program Files\Frets on Fire
2007-11-30 22:42 --------- d-----w C:\Program Files\Soulseek-Test
2007-11-30 14:30 --------- d-----w C:\Program Files\DOSBox
2007-11-27 03:16 --------- d-----w C:\Program Files\MagicDVDRipper
2007-11-27 03:07 --------- d-----w C:\Program Files\iSofter
2007-11-16 14:18 --------- d-----w C:\Program Files\iPod
.
<pre>
----a-w		 1,462,272 2008-01-09 21:44:30  C:\Program Files\Analog Devices\Core\smax4pnp .exe
----a-w		   155,648 2008-01-09 21:44:27  C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w			90,112 2008-01-11 21:49:39  C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor .exe
----a-w		   237,568 2008-01-09 21:44:37  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w		   278,528 2008-01-13 08:15:09  C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatchTray .exe
----a-w		 1,286,144 2008-01-09 21:44:33  C:\Program Files\D-Link\AirPlus G\AirGCFG .exe
----a-w				 0 2008-01-11 12:50:14  C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
----a-w		   413,696 2008-01-11 21:49:48  C:\Program Files\IE New Window Maximizer\iemaximizer .exe
----a-w		   267,048 2008-01-09 21:44:34  C:\Program Files\iTunes\iTunesHelper .exe
----a-w		 5,674,352 2008-01-09 21:45:21  C:\Program Files\MSN Messenger\MsnMsgr .Exe
----a-w		   241,664 2008-01-11 12:59:47  C:\Program Files\PowerISO\PWRISOVM .EXE
----a-w		 1,744,896 2008-01-11 12:59:34  C:\Program Files\Roxio\Easy Media Creator 8\Drag to Disc\DrgToDsc .exe
----a-w		   538,112 2008-01-09 21:45:36  C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
----a-w			73,216 2008-01-11 12:53:12  C:\Program Files\Unlocker\UnlockerAssistant .exe
----a-w		   528,384 2008-01-11 21:49:56  C:\Program Files\Winamp Remote\bin\OrbTray .exe
----a-w		   266,240 2008-01-11 21:48:52  C:\WINDOWS\ime\imjp8_1\IMJPMIG .EXE
----a-w		   101,376 2008-01-11 12:59:04  C:\WINDOWS\ime\imkr6_1\IMEKRMIG .EXE
----a-w			15,360 2008-01-11 13:00:03  C:\WINDOWS\system32\ctfmon .exe
----a-w			77,824 2008-01-09 21:44:54  C:\WINDOWS\system32\hkcmd .exe
----a-w		   114,688 2008-01-09 21:45:00  C:\WINDOWS\system32\igfxpers .exe
----a-w			94,208 2008-01-08 03:06:40  C:\WINDOWS\system32\igfxtray .exe
----a-w		   455,168 2008-01-11 12:59:13  C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP .EXE
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{477840F3-BA52-44D9-8E41-38D61CAA010F}]
C:\WINXP2\system32\egmulhxk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5DF6AFEE-2291-4041-9A74-354624861746}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B9249083-6055-476c-A69D-13E110BFEA91}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2001-08-02 07:14 1134592]
"jkdfj94kgdftdf"="C:\WINXP2\TEMP\winlogan.exe" [ ]
"svcroot"="C:\WINXP2\System32\svcroot.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2005-03-18 04:34 1286144]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2008-01-11 11:19 450560]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-12 21:44 401408]
"PromoReg"="C:\WINXP2\System32\alt.exe.exe" [ ]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2007-08-31 12:25 307200]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"jkdfj94kgdftdf"="C:\WINXP2\TEMP\winlogan.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\File system]
@="Driver Group"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vgasave.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}]
@="DiskDrive"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}]
@="Hdc"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}]
@="Keyboard"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}]
@="Mouse"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}]
@="System"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}]
@="Volume"

R0 avgntmgr;avgntmgr;C:\WINXP2\System32\DRIVERS\avgntmgr.sys [2007-07-18 14:22]
R1 avgntdd;avgntdd;C:\WINXP2\System32\DRIVERS\avgntdd.sys [2007-08-09 13:04]
S2 CcEvtSvc;CcEvtSvc;C:\WINXP2\System32\CcEvtSvc.exe []
S2 MCIDRV_2600_6_0;MCIDRV_2600_6_0;C:\WINXP2\System32\drivers\lfhnen.sys [2008-01-14 08:14]
S2 Microsoft Int Service;Microsoft Int Service;C:\WINXP2\System32\_svchost.exe []
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);C:\WINXP2\System32\DRIVERS\A3AB.sys [2005-03-22 18:17]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-12 14:37:10 C:\WINXP2\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-14 08:13:42
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINXP2\system32\lrito.ini 35188 bytes
C:\WINXP2\system32\lrito2b7d-10ae.sys 129792 bytes executable
C:\WINXP2\system32\ntos.exe 518656 bytes executable
C:\WINXP2\system32\wsnpoem
C:\WINXP2\system32\drivers\ntio922.sys 37632 bytes executable
C:\WINXP2\system32\drivers\ndisaluo.sys 7040 bytes executable

scan completed successfully
hidden files: 6

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\lrito2b7d-10ae]
"ImagePath"="\??\C:\WINXP2\system32\lrito2b7d-10ae.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\NDIS]

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ndisaluo]
"ImagePath"="\??\C:\WINXP2\System32\Drivers\ndisaluo.sys"
--

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\ntio922]
"ImagePath"="System32\Drivers\ntio922.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINXP2\system32\winlogon.exe
-> C:\WINXP2\System32\lm532031.dll

PROCESS: C:\WINXP2\Explorer.EXE [6.00.2600.0000]
-> C:\WINXP2\System32\lm532031.dll
-> C:\WINXP2\System32\jm532031.dll
-> C:\WINXP2\System32\vk986255.dll
-> C:\WINXP2\System32\ho532031.dll
.
Completion time: 2008-01-14 8:17:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-14 13:17:42
.
2008-01-12 14:30:46 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:55:15 PM, on 1/14/2008
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINXP2\System32\smss.exe
C:\WINXP2\system32\csrss.exe
C:\WINXP2\system32\winlogon.exe
C:\WINXP2\system32\services.exe
C:\WINXP2\system32\lsass.exe
C:\WINXP2\system32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\System32\svchost.exe
C:\WINXP2\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINXP2\Explorer.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINXP2\System32\WgaTray.exe
C:\WINXP2\System32\wuauclt.exe
C:\DOCUME~1\ADMINI~1.SEV\LOCALS~1\Temp\wineuje.exe
C:\DOCUME~1\ADMINI~1.SEV\LOCALS~1\Temp\winucjtqf.exe
C:\DOCUME~1\ADMINI~1.SEV\LOCALS~1\Temp\winnhymhk.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINXP2\System32\wbem\wmiprvse.exe
C:\WINXP2\system32\NOTEPAD.EXE
C:\WINXP2\system32\NOTEPAD.EXE
C:\Documents and Settings\Administrator.SEVENTHSON\Desktop\HiJackThis.exe

F2 - REG:system.ini: UserInit=C:\WINXP2\system32\userinit.exe,C:\WINXP2\System32\ntos.exe,
O2 - BHO: egmulhxk.msdn_hlp - {477840F3-BA52-44D9-8E41-38D61CAA010F} - C:\WINXP2\system32\egmulhxk.dll (file missing)
O2 - BHO: Microsoft copyright - {5DF6AFEE-2291-4041-9A74-354624861746} - ronods.dll (file missing)
O2 - BHO: Flash Module - {B9249083-6055-476c-A69D-13E110BFEA91} - tconn1.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINXP2\System32\msdxm.ocx
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [PromoReg] C:\WINXP2\System32\alt.exe.exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [IpSec] C:\DOCUME~1\ADMINI~1.SEV\LOCALS~1\Temp\winnhymhk.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [jkdfj94kgdftdf] C:\WINXP2\TEMP\winlogan.exe
O4 - HKCU\..\Run: [svcroot] C:\WINXP2\System32\svcroot.exe
O4 - HKUS\S-1-5-18\..\Run: [jkdfj94kgdftdf] C:\WINXP2\TEMP\winlogan.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [jkdfj94kgdftdf] C:\WINXP2\TEMP\winlogan.exe (User 'Default user')
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINXP2\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINXP2\web\related.htm
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1200147247206
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: CcEvtSvc - Unknown owner - C:\WINXP2\System32\CcEvtSvc.exe (file missing)
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Microsoft Int Service - Unknown owner - C:\WINXP2\System32\_svchost.exe (file missing)

--
End of file - 3922 bytes

****
ps. When I tried to reboot to my main XP OS (let's call this "XP A") after all was said and done, to see if I could access the files again, the computer reboots itself. I can only log onto "XP B" now, that I had installed just to be able to run all these programs.

Edited by The7thSon, 14 January 2008 - 05:06 PM.


#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 15 January 2008 - 05:26 AM

Your pc is extremely badly infected to say the least,and you have a Backdoor Trojan present.
A Backdoor is a software program that gives an attacker unauthorized access to a machine and the means for remotely controlling the machine without the user's knowledge. A Backdoor compromises system integrity by making changes to the system that allow it to by used by the attacker for malicious purposes unknown to the user.

They are typically installed without user interaction through security exploits, and may allow an attacker to remotely control the infected machine. Such risks may allow the attacker to install additional malware and use the compromised machine to participate in denial of service attacks, spamming, and bot nets, or to transmit sensitive data to a remote server. The malware may be cloaked and not visible to the user. These risks severely compromise the system by lowering security settings, installing 'backdoors,' infecting system files, or spreading to other networked machines.

If your computer was used for online banking or has credit card information on it, all passwords should be changed immediately to include those used for email, eBay and forums.
You should consider them to be compromised.
They should be changed by using a different computer and not the infected one,if not an attacker may get the new passwords and transaction information. Banking and credit card institutions should be notified of the possible security breech.

Since your computer was compromised read:
How to report ID theft, fraud, drive-by installs, hijacking and malware:
http://www.dslreports.com/faq/10451

When Should I Format, How Should I Reinstall:
http://www.dslreports.com/faq/10063

Let me know how you wish to proceed in your next reply.
I strongly suggest you backup any important data,reformat the drive and reinstall XP.
Posted Image
Posted Image

#5 The7thSon

The7thSon
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 15 January 2008 - 10:46 AM

Hi,
I do use the Internet for Web banking, and after looking at the second link you posted, it was advised that I go to my banking site and change my password immediately. I did so (on another computer, to avoid any further theft). I also checked my account for any losses, and to my relief, there was none.

Then, I went back to the linked site from before, and it asked the question if I use my computer for more than games and music, and I don't. I am sure I could easily re-format my hard drive, but that seems like a last ditch effort. After installing my second version of WinXP, I did a few quick searches and found that all of my music, videos and photos were still intact, though not accessible. This raises a question I must ask you: Since all of my music is still intact, is it possible to retrieve all my music, videos and photos and back it up before re-formatting? I am a music junkie and I would completely lose my head if I had to go back and find all the music I put on the computer on various dvd-rs. Not to mention my iTunes library which I take very seriously. That file is also still on the computer, though again not accessible.

That is one concern. My second concern is for programs I have installed and registered on the computer but I've misplaced several of the install discs. I read a while ago about it being possible to retain these particular registered passwords and back them up as self-extracting software bundles for use on a new machine or freshly re-formatted hard drive.

To summarize, I also mentioned my troubles to a co-worker and he said that it is possible to install my hard drive in another working computer and use that computer to back my files up, so long as I don't open any of them. I hope I've explained everything that is bugging me about this.

Thanks for your continued help.

#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 15 January 2008 - 01:38 PM

Then, I went back to the linked site from before, and it asked the question if I use my computer for more than games and music, and I don't. I am sure I could easily re-format my hard drive, but that seems like a last ditch effort.

Ok then,if you want to have a go at cleaning up your system then let me know.

After installing my second version of WinXP, I did a few quick searches and found that all of my music, videos and photos were still intact, though not accessible.

You say they're not accessible,what happens if you try accessing them.

To summarize, I also mentioned my troubles to a co-worker and he said that it is possible to install my hard drive in another working computer and use that computer to back my files up, so long as I don't open any of them.

This is true.
Posted Image
Posted Image

#7 The7thSon

The7thSon
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 15 January 2008 - 02:06 PM

After installing my second version of WinXP, I did a few quick searches and found that all of my music, videos and photos were still intact, though not accessible.

What I meant was I spotted all the filenames when running the scanning programs, which could only mean they're still there. I can't access them from my "second" WinXP, since I learned that two separate OS's on one machine cannot interact with one another.

Also, you've now given me reassurance that sticking my hard drive in another computer to back up my files is okay. Once the hard drive is installed in a friend's computer, though, where do I go from there? If I can't access my files from the other partition on my PC to begin with, how can I get to these files to burn them once they're on another machine?

Edited by The7thSon, 15 January 2008 - 02:08 PM.


#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 15 January 2008 - 02:22 PM

If I can't access my files from the other partition on my PC to begin with, how can I get to these files to burn them once they're on another machine?

Before fitting the drive into another pc,the jumpers on the back of the drive need setting to 'Slave'.
Posted Image
Posted Image

#9 The7thSon

The7thSon
  • Topic Starter

  • Members
  • 62 posts
  • OFFLINE
  •  
  • Local time:02:31 AM

Posted 22 January 2008 - 10:39 AM

Okay, I installed my hard drive in my friend's computer no problem. I had to tinker with the folder ownership settings so I could access the files, and that worked. He doesn't have a DVD burner but my computer does. Is it just as simple as swapping out his dvd-rom temporarily with my dvd burner so I can grab the stuff I want off my hard drive?

Edited by The7thSon, 22 January 2008 - 10:42 AM.


#10 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:07:31 AM

Posted 22 January 2008 - 11:20 AM

Is it just as simple as swapping out his dvd-rom temporarily with my dvd burner so I can grab the stuff I want off my hard drive?

Yes,as simple as that :thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users