Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Cid Popups, Ads123, More Malware/trojans


  • This topic is locked This topic is locked
26 replies to this topic

#1 She Haunts Me

She Haunts Me

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 22 March 2008 - 09:03 AM

Hello!! :thumbsup:

PLEASE HELP!


I'm new to the site and can already tell that I'm going to become fan and supporter of the site. I applaud all who help with tech help, hijack this logs, etc...

My aunt recently asked me to try to rid her PC of malware. When I first turned it on I was getting all kinds of "CiD" pop-ups. The browser home page would always be directed to "Ads123.com" whatever address I typed in.

I have scanned with several spyware removal tools and ant-virus scanners. I have removed a lot of trojans and ad-ware. The CiD pop-ups have stopped and I can now navigate the internet without seeing "Ads123.com" every 5 seconds. I would just like to make sure everything is clean and erase all traces of the malware that was infested on this PC.

I have made a log using Deckard's System Scanner. If you want a regular Hijack This log, I will gladly submit it.

Any help/tips are appreciated and I wish to thank the members of this site for dedicating their spare time to helping other people who are in desperate need of it



Deckard's System Scanner v20071014.68
Run by Derek Isom on 2008-03-15 21:37:46
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Derek Isom.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:39:37 PM, on 3/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Derek Isom\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DEREKI~1.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://xjhtvwseour.net/gILHR_seaRsWv...FkJFP32Cf.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - {5FC5521B-D092-E846-A96F-9E52262FFBFD} - (no file)
R3 - URLSearchHook: (no name) - {0CC55D1C-D3C3-EC42-A76F-9E52262FF4AA} - (no file)
R3 - URLSearchHook: (no name) - {7F677B55-A180-9805-EC3D-EBB58824DFFC} - (no file)
R3 - URLSearchHook: (no name) - {D3AA1669-9EB5-A767-8199-D4E61DAD25F4} - (no file)
R3 - URLSearchHook: (no name) - {B7877434-B6D1-CA58-A0A9-E4CB2D9D0BC2} - (no file)
R3 - URLSearchHook: (no name) - {82AA4434-9BE2-FF6C-8D99-D4E61DAD26F2} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/micr...?1205209777328
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.11.7/ttinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/Wi...nerInstall.cab
O20 - AppInit_DLLs: iniwin32.dll C:\WINDOWS\system32\guard32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/DEREKI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 5773 bytes

-- Files created between 2008-02-15 and 2008-03-15 -----------------------------

2008-03-15 20:15:19 0 d-------- C:\ie-spyad_zo
2008-03-15 19:34:42 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-15 09:32:53 138752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-15 09:32:52 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Spyware Terminator
2008-03-15 09:32:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-15 09:32:47 0 d-------- C:\Program Files\Spyware Terminator
2008-03-15 09:28:47 0 dr-h----- C:\Documents and Settings\Derek Isom\Recent
2008-03-15 09:08:09 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Comodo
2008-03-15 09:08:03 0 d-------- C:\Program Files\COMODO
2008-03-15 08:08:13 0 d-------- C:\Program Files\Avira
2008-03-15 08:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-12 18:40:24 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-03-12 10:27:41 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-12 08:47:41 0 d-------- C:\Program Files\Trend Micro
2008-03-11 22:18:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-03-11 21:38:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Uniblue
2008-03-11 18:37:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 18:37:14 0 d-------- C:\Program Files\Ace Utilities
2008-03-11 13:57:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-11 08:26:28 0 d-------- C:\Program Files\IObit
2008-03-11 08:16:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Sun
2008-03-11 07:35:33 0 d-------- C:\Program Files\CCleaner
2008-03-11 00:37:21 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Adobe
2008-03-11 00:37:14 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-11 00:17:07 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\WinRAR
2008-03-11 00:13:29 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 20:56:40 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-03-15 10:33:46 0 d-a------ C:\Program Files\Common Files
2008-03-15 09:48:36 0 d-------- C:\Program Files\MUSICMATCH
2008-03-15 08:16:24 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\greatup
2008-03-15 07:43:13 0 d-------- C:\Program Files\Disney Interactive
2008-03-15 07:42:30 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-03-15 07:42:30 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-03-15 07:42:30 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2008-03-15 07:37:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 10:17:03 0 d-------- C:\Program Files\Common Files\Java
2008-03-12 10:05:21 0 d-------- C:\Program Files\Java
2008-03-11 08:07:34 0 d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-03-11 07:58:07 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Real
2008-03-10 20:58:58 0 d--h----- C:\Program Files\Common Files\Dpi
2008-03-10 20:40:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\A?pPatch
2008-03-10 18:01:16 585 --a------ C:\WINDOWS\eyntr.dll
2008-03-10 17:34:50 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\wavedoesblah
2008-03-10 17:32:50 5460 --a------ C:\WINDOWS\kwv2.dat
2008-03-10 17:12:47 0 d-------- C:\Program Files\Microsoft Works
2008-03-10 17:12:12 0 d-------- C:\Program Files\Messenger
2008-03-10 17:11:27 0 d-------- C:\Program Files\Dell Modem-On-Hold


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [03/15/2008 08:10 AM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [03/15/2008 07:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\Derek Isom\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=iniwin32.dll C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]
C:\WINDOWS\system32\crnobbo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]
C:\WINDOWS\system32\crnobbo.exe



-- End of Deckard's System Scanner: finished at 2008-03-15 21:40:14 ------------

Also, if someone could help me get rid of Musicmatch Jukebox (uninstaller does nothing) that would also be a huge help! If you need anything else just let me know and I'll gladly do so.

Thanks again,
Brandon

BC AdBot (Login to Remove)

 


m

#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:29 AM

Posted 23 March 2008 - 02:00 PM

Hello and welcome to BleepingComputer :thumbsup:

Please download E2TakeOut © RubbeR DuckY and save it to your desktop:
  • Double-click on E2TakeOut.exe
  • Click the Begin Removal button.
  • Wait until the program has finished scanning.
  • Once done, it will produce a popup stating that the infection has been found and you need to reboot you computer to complete the removal.
  • Reboot your computer.
  • Once your computer has rebooted E2TakeOut will open and produce a report.
  • Please copy/paste that report into your next reply.
--------

After that, please run a new scan with HijackThis and check the following objects for removal:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://xjhtvwseour.net/gILHR_seaRsWv...FkJFP32Cf.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R3 - URLSearchHook: (no name) - {5FC5521B-D092-E846-A96F-9E52262FFBFD} - (no file)
R3 - URLSearchHook: (no name) - {0CC55D1C-D3C3-EC42-A76F-9E52262FF4AA} - (no file)
R3 - URLSearchHook: (no name) - {7F677B55-A180-9805-EC3D-EBB58824DFFC} - (no file)
R3 - URLSearchHook: (no name) - {D3AA1669-9EB5-A767-8199-D4E61DAD25F4} - (no file)
R3 - URLSearchHook: (no name) - {B7877434-B6D1-CA58-A0A9-E4CB2D9D0BC2} - (no file)
R3 - URLSearchHook: (no name) - {82AA4434-9BE2-FF6C-8D99-D4E61DAD26F2} - (no file)


Now close ALL other open windows and hit FIX CHECKED. Exit HijackThis.

--------

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as remove.bat to your desktop.

@echo off

attrib -r -h C:\WINDOWS\eyntr.dll
attrib -r -h C:\WINDOWS\system32\crnobbo.exe
attrib -r -h C:\WINDOWS\kwv2.dat
del /a /f /q C:\WINDOWS\eyntr.dll
del /a /f /q C:\WINDOWS\system32\crnobbo.exe
del /a /f /q C:\WINDOWS\kwv2.dat
del remove.bat
exit


Now double-click on the Remove.bat. A window will popup and close, this is normal.

--------

Go to Start » Run » type in: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File » Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg to your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]


Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt.

------

Finally, please reboot again and post back with a fresh HijackThis log. :blink:
Hi there, stranger!

#3 She Haunts Me

She Haunts Me
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 23 March 2008 - 06:40 PM

Thanks Rawe for such a speedy reply. This is much appreciated! I have carried out all the instructions you gave me. Below is a E2TakeOut log file along with a new HijackThis log. I will wait for further instructions. Thanks again for all the help! :thumbsup:


E2TakeOut v1.01 [http://www.malwarebytes.org]

Removed orphaned leftovers
AppInit key reset



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:33:17 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205209777328
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.11.7/ttinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/DEREKI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 4943 bytes

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:29 AM

Posted 23 March 2008 - 06:56 PM

Looks much better. :blink:

You can go ahead and delete E2TakeOut, aswell as Fixit.reg.

To continue.....
  • Open HijackThis
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on the button "Save list"
  • Copy and paste the list from the notebook onto your post.
  • Along with the uninstall list, please rerun Deckard's System Scanner and post back with the fresh log. :thumbsup:
----

Btw, do you recognize this entry

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/DEREKI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg ?

The filename? Did you set it yourself?
Hi there, stranger!

#5 She Haunts Me

She Haunts Me
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 23 March 2008 - 08:21 PM

Hey Rawe! I'm glad it's looking better! I've deleted E2 and Fixit.reg.

I also an the Hijackthis uninstall manager. There is a few programs on there that I haven't been able to delete. Possible because of a missing file or something. (MusicMatch Jukebox, Huge Home Runs Videos :thumbsup: )

I also ran Deckard's System Scanner, both logs are below.

Also, I'm not familiar with the registry entry:
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/DEREKI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

I have no idea what it is. I'm not too familiar with registry editing so I don't think that I created it myself. Shall I delete it?

Anyways, here's the logs.

HijackThis Uninstall Manager
ABBYY FineReader 5.0 Sprint Plus
Ace Utilities
Advanced WindowsCare Personal 2.7.0
ATI Display Driver
Atlantis - Trial by Fire
Avira AntiVir PersonalEdition Classic
BCM V.92 56K Modem
Boggle
CCleaner (remove only)
COMODO Firewall Pro
Dell Modem-On-Hold
Dell Picture Studio - Dell Image Expert
Dell ResourceCD
Dell Solution Center
Dell Support
Digital Line Detect
Easy CD Creator 5 Basic
HijackThis 2.0.2
Hotfix for Windows XP (KB915865)
Huge Home Runs Videos
Intel® PRO Ethernet Adapter and Software
J2SE Runtime Environment 5.0 Update 3
Java™ 6 Update 5
Lexmark 4200 Series
Lexmark 4200 Series Fax Solutions
Macromedia Flash Player 8
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB928367)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft Encarta Encyclopedia Standard 2002
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Picture It! Photo 2002
Microsoft Word 2002
Microsoft Works 6.0
Mozilla Firefox (2.0.0.12)
MUSICMATCH® Jukebox
Panda ActiveScan
QuickTime
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Internet Explorer 7 (KB944533)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB933729)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
Security Update for Windows XP (KB941202)
Security Update for Windows XP (KB941568)
Security Update for Windows XP (KB941569)
Security Update for Windows XP (KB941644)
Security Update for Windows XP (KB943055)
Security Update for Windows XP (KB943460)
Security Update for Windows XP (KB943485)
Security Update for Windows XP (KB944653)
Security Update for Windows XP (KB946026)
Shockwave
Spyware Terminator
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB930916)
Update for Windows XP (KB936357)
Update for Windows XP (KB938828)
Update for Windows XP (KB942763)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885523
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver


Deckard's System Scanner v20071014.68
Run by Derek Isom on 2008-03-23 20:07:18
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Derek Isom.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:13 PM, on 3/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Derek Isom\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Derek Isom.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dellnet.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205209777328
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.11.7/ttinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/DEREKI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

--
End of file - 5068 bytes

-- Files created between 2008-02-23 and 2008-03-23 -----------------------------

2008-03-23 18:27:38 85110466 --a------ C:\RegBackup.reg
2008-03-23 18:18:26 0 d-------- C:\Program Files\Trend Micro
2008-03-15 20:15:19 0 d-------- C:\ie-spyad_zo
2008-03-15 19:34:42 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-15 09:32:53 138752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-15 09:32:52 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Spyware Terminator
2008-03-15 09:32:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-15 09:32:47 0 d-------- C:\Program Files\Spyware Terminator
2008-03-15 09:28:47 0 dr-h----- C:\Documents and Settings\Derek Isom\Recent
2008-03-15 09:08:09 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Comodo
2008-03-15 09:08:03 0 d-------- C:\Program Files\COMODO
2008-03-15 08:08:13 0 d-------- C:\Program Files\Avira
2008-03-15 08:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-12 18:40:24 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-03-12 10:27:41 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 22:18:02 0 d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-03-11 21:38:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Uniblue
2008-03-11 18:37:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 18:37:14 0 d-------- C:\Program Files\Ace Utilities
2008-03-11 13:57:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-11 08:26:28 0 d-------- C:\Program Files\IObit
2008-03-11 08:16:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Sun
2008-03-11 07:35:33 0 d-------- C:\Program Files\CCleaner
2008-03-11 00:37:21 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Adobe
2008-03-11 00:37:14 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-11 00:17:07 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\WinRAR
2008-03-11 00:13:29 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 20:56:40 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-03-15 10:33:46 0 d-a------ C:\Program Files\Common Files
2008-03-15 09:48:36 0 d-------- C:\Program Files\MUSICMATCH
2008-03-15 08:16:24 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\greatup
2008-03-15 07:43:13 0 d-------- C:\Program Files\Disney Interactive
2008-03-15 07:42:30 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-03-15 07:42:30 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-03-15 07:42:30 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2008-03-15 07:37:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 10:17:03 0 d-------- C:\Program Files\Common Files\Java
2008-03-12 10:05:21 0 d-------- C:\Program Files\Java
2008-03-11 08:07:34 0 d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-03-11 07:58:07 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Real
2008-03-10 20:58:58 0 d--h----- C:\Program Files\Common Files\Dpi
2008-03-10 20:40:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\A?pPatch
2008-03-10 17:34:50 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\wavedoesblah
2008-03-10 17:12:47 0 d-------- C:\Program Files\Microsoft Works
2008-03-10 17:12:12 0 d-------- C:\Program Files\Messenger
2008-03-10 17:11:27 0 d-------- C:\Program Files\Dell Modem-On-Hold


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [03/15/2008 08:10 AM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [03/15/2008 07:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\Derek Isom\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]
C:\WINDOWS\system32\crnobbo.exe



-- End of Deckard's System Scanner: finished at 2008-03-23 20:10:18 ------------

#6 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:29 AM

Posted 23 March 2008 - 08:31 PM

Hi again :blink:

Yep, please run a scan with HijackThis and check the following object for removal:

O24 - Desktop Component 0: (no name) - file:///C:/DOCUME~1/DEREKI~1/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg


Hit FIX CHECKED with other windows closed. Now with HijackThis....
  • Click on the tab "Misc Tools"
  • Click on the Box that says "Uninstall Manager"
  • Click on MUSICMATCH® Jukebox
  • Click on Delete this entry
  • Click "Yes"
  • Repeat this for Huge Home Runs Videos
Then, delete their folders. (For musicmatch: C:\Program Files\MUSICMATCH)

-----------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only.Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

------------------

Finally,

Please download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply. :thumbsup:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Edited by Rawe, 23 March 2008 - 08:35 PM.

Hi there, stranger!

#7 She Haunts Me

She Haunts Me
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 23 March 2008 - 09:21 PM

:thumbsup: Musicmatch is finally gone as well as HugeHome run videos. Thanks a bunch!

I ran the ATF cleaner as well as the Combofix.exe

Here is the combofix log

ComboFix 08-03-23.2 - Derek Isom 2008-03-23 9:12:27.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.254 [GMT -5:00]
Running from: C:\Documents and Settings\Derek Isom\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Documents and Settings\Derek Isom\Application Data\APPATC~1
C:\Documents and Settings\Derek Isom\Application Data\APPATC~1\A?pPatch\
C:\Documents and Settings\Derek Isom\Application Data\ICROSO~1
C:\Program Files\asembl~1
C:\Program Files\Common Files\ecurit~1
C:\Program Files\Common Files\ppatch~1
C:\Program Files\crosof~1
C:\Program Files\mcroso~1
C:\WINDOWS\bundles
C:\WINDOWS\bundles\EDow_AS2.exe
C:\WINDOWS\bundles\icmedia_7.exe
C:\WINDOWS\bundles\setup_silent_17123.exe
C:\WINDOWS\bundles\thin-8-1-x-x.exe
C:\WINDOWS\bundles\TVM_B5.EXE
C:\WINDOWS\bundles\Tvm_b5_269.exe
C:\WINDOWS\bundles\VT02.exe
C:\WINDOWS\bundles\WebRebates_Auto_InstallSilent.exe
C:\WINDOWS\system32\pppatc~1
C:\WINDOWS\system32\scurit~1
C:\WINDOWS\system32\smante~1
C:\WINDOWS\system32\sstem~1

.
((((((((((((((((((((((((( Files Created from 2008-02-23 to 2008-03-23 )))))))))))))))))))))))))))))))
.

2008-03-23 18:27 . 2008-03-23 18:27 85,110,466 --a------ C:\RegBackup.reg
2008-03-23 18:18 . 2008-03-23 18:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 20:15 . 2008-03-15 20:15 <DIR> d-------- C:\ie-spyad_zo
2008-03-15 19:34 . 2008-03-15 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-15 19:34 . 2008-03-15 19:34 85,112 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdguard.sys
2008-03-15 19:34 . 2008-03-15 19:34 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-03-15 19:25 . 2008-03-15 19:25 144,384 --a------ C:\WINDOWS\SYSTEM32\140.tmp
2008-03-15 10:00 . 2008-03-15 10:00 <DIR> d-------- C:\Deckard
2008-03-15 09:32 . 2008-03-15 19:26 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-15 09:32 . 2008-03-15 19:33 <DIR> d-------- C:\Documents and Settings\Derek Isom\Application Data\Spyware Terminator
2008-03-15 09:32 . 2008-03-15 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-15 09:32 . 2008-03-15 09:32 138,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-03-15 09:08 . 2008-03-15 09:08 <DIR> d-------- C:\Program Files\COMODO
2008-03-15 09:08 . 2008-03-15 19:34 <DIR> d-------- C:\Documents and Settings\Derek Isom\Application Data\Comodo
2008-03-15 09:08 . 2008-03-15 19:34 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll
2008-03-15 08:08 . 2008-03-15 08:08 <DIR> d-------- C:\Program Files\Avira
2008-03-15 08:08 . 2008-03-15 08:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-12 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-03-12 10:27 . 2008-03-15 19:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-12 10:27 . 2008-03-15 19:23 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-12 10:27 . 2008-03-15 19:23 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-12 10:27 . 2008-03-15 19:23 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-12 10:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-11 22:18 . 2008-03-11 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-03-11 21:38 . 2008-03-15 07:12 <DIR> d-------- C:\Documents and Settings\Derek Isom\Application Data\Uniblue
2008-03-11 19:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-11 19:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-11 18:37 . 2008-03-12 19:22 <DIR> d-------- C:\Program Files\Ace Utilities
2008-03-11 18:37 . 2008-03-15 19:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 13:57 . 2008-03-15 07:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-11 08:26 . 2008-03-11 08:26 <DIR> d-------- C:\Program Files\IObit
2008-03-11 07:35 . 2008-03-11 07:35 <DIR> d-------- C:\Program Files\CCleaner
2008-03-11 00:37 . 2008-03-11 00:37 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-11 00:13 . 2008-03-11 00:13 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 23:09 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-03-10 23:09 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-03-10 23:09 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-03-10 22:55 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-03-10 22:36 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-03-10 22:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-03-10 22:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-03-10 22:36 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 13:16 --------- d-----w C:\Documents and Settings\Derek Isom\Application Data\greatup
2008-03-15 12:43 --------- d-----w C:\Program Files\Disney Interactive
2008-03-15 12:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 15:17 --------- d-----w C:\Program Files\Common Files\Java
2008-03-12 15:05 --------- d-----w C:\Program Files\Java
2008-03-11 13:07 --------- d-----w C:\Program Files\Common Files\Knowledge Adventure
2008-03-11 01:58 --------- d--h--w C:\Program Files\Common Files\Dpi
2008-03-10 22:34 --------- d-----w C:\Documents and Settings\Derek Isom\Application Data\wavedoesblah
2008-03-10 22:12 --------- d-----w C:\Program Files\Microsoft Works
2008-03-10 22:11 --------- d-----w C:\Program Files\Dell Modem-On-Hold
2005-04-16 19:43 69,768 ----a-w C:\Documents and Settings\Derek Isom\Application Data\GDIPFONTCACHEV1.DAT
2006-05-06 00:49 475 --sh--w C:\WINDOWS\SYSTEM32\ttmdppdk.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-15 08:10 249896]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-15 19:34 1503488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-15 19:34]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-15 19:34]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-15 09:32]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 10:05]


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]
C:\WINDOWS\system32\crnobbo.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-24 02:00:00 C:\WINDOWS\Tasks\B4F7A97B918853BF.job"
- c:\docume~1\dereki~1\applic~1\greatup\titlethebias.exe
"2008-03-12 05:31:41 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-23 09:15:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-23 9:16:22
ComboFix-quarantined-files.txt 2008-03-23 14:16:12
.
2008-03-12 03:07:34 --- E O F ---

#8 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:29 AM

Posted 24 March 2008 - 07:10 AM

Open notepad and copy/paste the text in the quotebox into it

File::
C:\WINDOWS\SYSTEM32\ttmdppdk.dll
C:\WINDOWS\Tasks\B4F7A97B918853BF.job
C:\WINDOWS\system32\crnobbo.exe

Folder::
C:\Documents and Settings\Derek Isom\Application Data\wavedoesblah
C:\Documents and Settings\Derek Isom\Application Data\greatup

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]


Save it as CFScript.txt on your desktop.

Posted Image

Referring to the picture above, drag CFScript.txt into ComboFix.exe

When finished, it shall produce a log for you, C:\ComboFix.txt. Post that log in your next reply. :blink:

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

--------------

Along with the ComboFix log...

Please download NoLop to your desktop from one of the links below...
Link 1
Link 2
Link 3
  • Double-click NoLop.exe to run it.
  • Now click the button labelled "Search and Destroy"
    <<your computer will now be scanned for infected files>>
  • When scanning is finished you will be prompted to reboot only if infected, click OK.
  • Now click the "REBOOT" button.
  • A message should popup from NoLop. If not, double-click the program again and it will finish. Please post the contents of C:\NoLop.log along with a fresh HijackThis log. :thumbsup:
--If you receive an error, "mscomctl.ocx or one of its dependencies are not correctly registered," please download mscomctl.ocx to your system32 folder then rerun the program. --

Edited by Rawe, 24 March 2008 - 07:40 AM.

Hi there, stranger!

#9 She Haunts Me

She Haunts Me
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 24 March 2008 - 07:51 PM

Hey Rawe. I finally finished your requests. The Combofix took a long time, but it finally finished. NoLop didn't find any infected files! (Hope that's a good thing.) I also ran a fresh Hijackthis so here's all the logs. :thumbsup:


ComboFix 08-03-23.2 - Derek Isom 2008-03-24 18:38:30.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.247 [GMT -5:00]
Running from: C:\Documents and Settings\Derek Isom\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Derek Isom\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\crnobbo.exe
C:\WINDOWS\SYSTEM32\ttmdppdk.dll
C:\WINDOWS\Tasks\B4F7A97B918853BF.job
.
-- Other TimeOuts --
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
Nircmd abortshutdown
SED "s/.*\\//; s/.sys$//I"
MTEE /+ d-delA.dat


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Derek Isom\Application Data\greatup
C:\Documents and Settings\Derek Isom\Application Data\greatup\0
C:\Documents and Settings\Derek Isom\Application Data\greatup\dewsngdk.exe
C:\Documents and Settings\Derek Isom\Application Data\greatup\titlethebias.exe
C:\Documents and Settings\Derek Isom\Application Data\wavedoesblah
C:\WINDOWS\SYSTEM32\ttmdppdk.dll
C:\WINDOWS\Tasks\B4F7A97B918853BF.job

.
((((((((((((((((((((((((( Files Created from 2008-02-24 to 2008-03-24 )))))))))))))))))))))))))))))))
.

2008-03-24 18:24 . 2008-03-24 18:29 <DIR> d-------- C:\ComboFix(2)
2008-03-23 18:27 . 2008-03-23 18:27 85,110,466 --a------ C:\RegBackup.reg
2008-03-23 18:18 . 2008-03-23 18:18 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 20:15 . 2008-03-15 20:15 <DIR> d-------- C:\ie-spyad_zo
2008-03-15 19:34 . 2008-03-15 19:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-15 19:34 . 2008-03-15 19:34 85,112 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdguard.sys
2008-03-15 19:34 . 2008-03-15 19:34 23,800 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\cmdhlp.sys
2008-03-15 19:25 . 2008-03-15 19:25 144,384 --a------ C:\WINDOWS\SYSTEM32\140.tmp
2008-03-15 10:00 . 2008-03-15 10:00 <DIR> d-------- C:\Deckard
2008-03-15 09:32 . 2008-03-15 19:26 <DIR> d-------- C:\Program Files\Spyware Terminator
2008-03-15 09:32 . 2008-03-15 19:33 <DIR> d-------- C:\Documents and Settings\Derek Isom\Application Data\Spyware Terminator
2008-03-15 09:32 . 2008-03-15 15:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-15 09:32 . 2008-03-15 09:32 138,752 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\sp_rsdrv2.sys
2008-03-15 09:08 . 2008-03-15 09:08 <DIR> d-------- C:\Program Files\COMODO
2008-03-15 09:08 . 2008-03-15 19:34 <DIR> d-------- C:\Documents and Settings\Derek Isom\Application Data\Comodo
2008-03-15 09:08 . 2008-03-15 19:34 139,008 --a------ C:\WINDOWS\SYSTEM32\guard32.dll
2008-03-15 08:08 . 2008-03-15 08:08 <DIR> d-------- C:\Program Files\Avira
2008-03-15 08:08 . 2008-03-15 08:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-12 18:40 . 2007-06-05 10:56 44,928 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\SDTHOOK.SYS
2008-03-12 10:27 . 2008-03-15 19:24 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2008-03-12 10:27 . 2008-03-15 19:23 30,590 --a------ C:\WINDOWS\SYSTEM32\pavas.ico
2008-03-12 10:27 . 2008-03-15 19:23 2,550 --a------ C:\WINDOWS\SYSTEM32\Uninstall.ico
2008-03-12 10:27 . 2008-03-15 19:23 1,406 --a------ C:\WINDOWS\SYSTEM32\Help.ico
2008-03-12 10:05 . 2008-02-22 02:33 69,632 --a------ C:\WINDOWS\SYSTEM32\javacpl.cpl
2008-03-11 22:18 . 2008-03-11 22:18 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Uniblue
2008-03-11 21:38 . 2008-03-15 07:12 <DIR> d-------- C:\Documents and Settings\Derek Isom\Application Data\Uniblue
2008-03-11 19:19 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll
2008-03-11 19:19 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\SYSTEM32\mucltui.dll.mui
2008-03-11 18:37 . 2008-03-12 19:22 <DIR> d-------- C:\Program Files\Ace Utilities
2008-03-11 18:37 . 2008-03-15 19:21 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 13:57 . 2008-03-15 07:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-11 08:26 . 2008-03-11 08:26 <DIR> d-------- C:\Program Files\IObit
2008-03-11 07:35 . 2008-03-11 07:35 <DIR> d-------- C:\Program Files\CCleaner
2008-03-11 00:37 . 2008-03-11 00:37 1,158 --a------ C:\WINDOWS\mozver.dat
2008-03-11 00:13 . 2008-03-11 00:13 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 23:09 . 2006-08-21 04:14 128,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmgr.sys
2008-03-10 23:09 . 2006-08-21 04:14 23,040 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltmc.exe
2008-03-10 23:09 . 2006-08-21 07:21 16,896 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\fltlib.dll
2008-03-10 22:55 . 2007-07-09 08:09 584,192 --------- C:\WINDOWS\SYSTEM32\DLLCACHE\rpcrt4.dll
2008-03-10 22:36 . 2007-07-30 20:18 34,136 --a------ C:\WINDOWS\SYSTEM32\wucltui.dll.mui
2008-03-10 22:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuaucpl.cpl.mui
2008-03-10 22:36 . 2007-07-30 20:19 25,944 --a------ C:\WINDOWS\SYSTEM32\wuapi.dll.mui
2008-03-10 22:36 . 2007-07-30 20:18 20,312 --a------ C:\WINDOWS\SYSTEM32\wuaueng.dll.mui

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-15 12:43 --------- d-----w C:\Program Files\Disney Interactive
2008-03-15 12:37 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-12 15:17 --------- d-----w C:\Program Files\Common Files\Java
2008-03-12 15:05 --------- d-----w C:\Program Files\Java
2008-03-11 13:07 --------- d-----w C:\Program Files\Common Files\Knowledge Adventure
2008-03-11 01:58 --------- d--h--w C:\Program Files\Common Files\Dpi
2008-03-10 22:12 --------- d-----w C:\Program Files\Microsoft Works
2008-03-10 22:11 --------- d-----w C:\Program Files\Dell Modem-On-Hold
2005-04-16 19:43 69,768 ----a-w C:\Documents and Settings\Derek Isom\Application Data\GDIPFONTCACHEV1.DAT
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [2008-02-22 04:25 144784]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-03-15 08:10 249896]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [2008-03-15 19:34 1503488]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoResolveSearch"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= C:\WINDOWS\system32\guard32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINDOWS\\SYSTEM32\\LEXPPS.EXE"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\Program Files\\Windows Media Player\\wmplayer.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R1 cmdGuard;COMODO Firewall Pro Sandbox Driver;C:\WINDOWS\system32\DRIVERS\cmdguard.sys [2008-03-15 19:34]
R1 cmdHlp;COMODO Firewall Pro Helper Driver;C:\WINDOWS\system32\DRIVERS\cmdhlp.sys [2008-03-15 19:34]
R1 sp_rsdrv2;Spyware Terminator Driver 2;C:\WINDOWS\system32\drivers\sp_rsdrv2.sys [2008-03-15 09:32]
R3 ati2mtaa;ati2mtaa;C:\WINDOWS\system32\DRIVERS\ati2mtaa.sys [2002-04-08 10:05]

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]
C:\WINDOWS\system32\crnobbo.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-03-12 05:31:41 C:\WINDOWS\Tasks\Uniblue SpyEraser.job"
- C:\Program Files\Uniblue\SpyEraser\SpyEraser.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-24 19:26:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-24 19:27:27
ComboFix-quarantined-files.txt 2008-03-25 00:27:04
ComboFix2.txt 2008-03-23 14:16:23
.
2008-03-12 03:07:34 --- E O F ---




---------------------------------------------------------------------------------------
NoLop! Log by Skate_Punk_21

Fix running from: C:\Documents and Settings\Derek Isom\Desktop
[3/24/2008]
[7:34:40 PM]

---Infection Files Found/Removed---
NO INFECTION FILES FOUND - Cleaning Aborted.

---Listing AppData sub directories---

C:\Documents and Settings\All Users\Application Data\4200series
C:\Documents and Settings\All Users\Application Data\Avira
C:\Documents and Settings\All Users\Application Data\Bvrp Software
C:\Documents and Settings\All Users\Application Data\Comodo
C:\Documents and Settings\All Users\Application Data\Dell
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
C:\Documents and Settings\All Users\Application Data\Microsoft
C:\Documents and Settings\All Users\Application Data\Msn6
C:\Documents and Settings\All Users\Application Data\Sbsi
C:\Documents and Settings\All Users\Application Data\Spyware Terminator
C:\Documents and Settings\All Users\Application Data\Temp -- EMPTY Directory
C:\Documents and Settings\All Users\Application Data\Uniblue
C:\Documents and Settings\All Users\Application Data\Windows Genuine Advantage
C:\Documents and Settings\Default User\Application Data\Identities
C:\Documents and Settings\Default User\Application Data\Microsoft
C:\Documents and Settings\Derek Isom\Application Data\4200series
C:\Documents and Settings\Derek Isom\Application Data\Adobe
C:\Documents and Settings\Derek Isom\Application Data\Comodo
C:\Documents and Settings\Derek Isom\Application Data\Help
C:\Documents and Settings\Derek Isom\Application Data\Identities
C:\Documents and Settings\Derek Isom\Application Data\Macromedia
C:\Documents and Settings\Derek Isom\Application Data\Microsoft
C:\Documents and Settings\Derek Isom\Application Data\More Love Bows Dupe
C:\Documents and Settings\Derek Isom\Application Data\Mozilla
C:\Documents and Settings\Derek Isom\Application Data\Msn6
C:\Documents and Settings\Derek Isom\Application Data\Real
C:\Documents and Settings\Derek Isom\Application Data\Spyware Terminator
C:\Documents and Settings\Derek Isom\Application Data\Sun
C:\Documents and Settings\Derek Isom\Application Data\Uniblue
C:\Documents and Settings\Derek Isom\Application Data\Winrar -- EMPTY Directory
C:\Documents and Settings\Derek Isom\Application Data\Yahoo! Messenger
C:\Documents and Settings\Localservice\Application Data\Microsoft
C:\Documents and Settings\Networkservice\Application Data\Microsoft




---------------------------------------------------------------------------------------
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:41:43 PM, on 3/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205209777328
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.11.7/ttinst.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4634 bytes

#10 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:29 AM

Posted 25 March 2008 - 10:15 AM

Hello again, looks MUCH better.

Yes, it was a good thing NoLop didn't find anything. :thumbsup:

You can go ahead and delete it if you want.

Do you have Spyware Terminators realtime protection on right now?

If so, I need you to disable it. Open Spyware Terminator, click on the "Real-time Protection" tab, uncheck the "Use Real-time Protection" box and click on the "Save Changes" button.

After you do that... Please rerun a scan with HijackThis and check the following objects for removal:

O16 - DPF: {9AC54695-69A4-46F1-BE10-10C74F9520D5} - http://cabs.elitemediagroup.net/cabs/mediaview.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://winfixer.com/pages/scanner/WinFixer...nnerInstall.cab


Now close ALL other open windows except for HijackThis and hit FIX CHECKED. Exit HijackThis.

Then, please redo this step.

Go to Start » Run » type in: regedit » OK.
  • On the leftside, click to highlight My Computer at the top.
  • Go up to File » Export
    Make sure in that window there is a tick next to "All" under Export Branch.
    Leave the "Save As Type" as "Registration Files".
    Under "Filename" put RegBackup.
  • Choose to save it to C:\
  • Click Save and then go to File » Exit.
This is so the registry can be restored to this point if we need it. It may take a minute.

Next, please copy the following text in the quotebox below to a blank notepad file. Make sure the filetype is set to "All Files" and save it as Fixit.reg on your desktop.

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]

Now double-click on the Fixit.reg on your desktop and allow it to merge with registry by clicking YES on the prompt. Go ahead and delete Fixit.reg on your desktop.

Now reboot and run Deckard's System Scanner one more time. Post back with the log. How is the system running right now? :blink:
Hi there, stranger!

#11 She Haunts Me

She Haunts Me
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 25 March 2008 - 07:05 PM

Hey Rawe! I've done everything you asked. The system is running much better. :thumbsup:

I haven't had any pop-ups at all! It also runs a little faster and seems more stable overall. Once we finish cleaning it, I plan to do a disk cleanup, delete unneeded files and defragment the hard drive. I hope that will help even more.

Here is the new DSS log. I hope it looks good!


Deckard's System Scanner v20071014.68
Run by Derek Isom on 2008-03-25 18:51:50
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as Derek Isom.exe) ------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:54:22 PM, on 3/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\COMODO\Firewall\cfp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\COMODO\Firewall\cmdagent.exe
C:\Program Files\Spyware Terminator\sp_rsser.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Derek Isom\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\DEREKI~1.EXE

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\COMODO\Firewall\cfp.exe" -h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1205209777328
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toontown.com/sv1.0.11.7/ttinst.cab
O20 - AppInit_DLLs: C:\WINDOWS\system32\guard32.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: COMODO Firewall Pro Helper Service (cmdAgent) - COMODO - C:\Program Files\COMODO\Firewall\cmdagent.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Spyware Terminator Realtime Shield Service (sp_rssrv) - Crawler.com - C:\Program Files\Spyware Terminator\sp_rsser.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 4450 bytes

-- Files created between 2008-02-25 and 2008-03-25 -----------------------------

2008-03-24 19:34:40 106 --a------ C:\delete.bat
2008-03-24 18:24:45 0 d-------- C:\ComboFix(2)
2008-03-24 18:21:21 8126464 --a------ C:\Documents and Settings\Derek Isom\ntuser.dat
2008-03-23 21:01:16 68096 --a------ C:\WINDOWS\system32\zip.exe
2008-03-23 21:01:16 98816 --a------ C:\WINDOWS\system32\sed.exe
2008-03-23 21:01:16 80412 --a------ C:\WINDOWS\system32\grep.exe
2008-03-23 21:01:16 73728 --a------ C:\WINDOWS\system32\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-03-23 18:27:38 85579640 --a------ C:\RegBackup.reg
2008-03-23 18:18:26 0 d-------- C:\Program Files\Trend Micro
2008-03-15 20:15:19 0 d-------- C:\ie-spyad_zo
2008-03-15 19:34:42 0 d-------- C:\Documents and Settings\All Users\Application Data\comodo
2008-03-15 09:32:53 138752 --a------ C:\WINDOWS\system32\drivers\sp_rsdrv2.sys
2008-03-15 09:32:52 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Spyware Terminator
2008-03-15 09:32:52 0 d-------- C:\Documents and Settings\All Users\Application Data\Spyware Terminator
2008-03-15 09:32:47 0 d-------- C:\Program Files\Spyware Terminator
2008-03-15 09:28:47 0 dr-h----- C:\Documents and Settings\Derek Isom\Recent
2008-03-15 09:08:09 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Comodo
2008-03-15 09:08:03 0 d-------- C:\Program Files\COMODO
2008-03-15 08:08:13 0 d-------- C:\Program Files\Avira
2008-03-15 08:08:13 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-03-12 18:40:24 44928 --a------ C:\WINDOWS\system32\drivers\SDTHOOK.SYS <Not Verified; Panda Software; Panda® Antivirus>
2008-03-12 10:27:41 0 d-------- C:\WINDOWS\system32\ActiveScan
2008-03-11 21:38:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Uniblue
2008-03-11 18:37:25 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-11 18:37:14 0 d-------- C:\Program Files\Ace Utilities
2008-03-11 08:26:28 0 d-------- C:\Program Files\IObit
2008-03-11 08:16:38 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Sun
2008-03-11 07:35:33 0 d-------- C:\Program Files\CCleaner
2008-03-11 00:37:21 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Adobe
2008-03-11 00:37:14 1158 --a------ C:\WINDOWS\mozver.dat
2008-03-11 00:17:07 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\WinRAR
2008-03-11 00:13:29 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-03-10 20:56:40 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Mozilla


-- Find3M Report ---------------------------------------------------------------

2008-03-23 21:02:24 0 d-a------ C:\Program Files\Common Files
2008-03-15 07:43:13 0 d-------- C:\Program Files\Disney Interactive
2008-03-15 07:42:30 21840 --a-----t C:\WINDOWS\system32\SIntfNT.dll
2008-03-15 07:42:30 17212 --a-----t C:\WINDOWS\system32\SIntf32.dll
2008-03-15 07:42:30 12067 --a-----t C:\WINDOWS\system32\SIntf16.dll
2008-03-15 07:37:04 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-03-12 10:17:03 0 d-------- C:\Program Files\Common Files\Java
2008-03-12 10:05:21 0 d-------- C:\Program Files\Java
2008-03-11 08:07:34 0 d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-03-11 07:58:07 0 d-------- C:\Documents and Settings\Derek Isom\Application Data\Real
2008-03-10 20:58:58 0 d--h----- C:\Program Files\Common Files\Dpi
2008-03-10 17:12:47 0 d-------- C:\Program Files\Microsoft Works
2008-03-10 17:12:12 0 d-------- C:\Program Files\Messenger
2008-03-10 17:11:27 0 d-------- C:\Program Files\Dell Modem-On-Hold


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/2008 04:25 AM]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [03/15/2008 08:10 AM]
"COMODO Firewall Pro"="C:\Program Files\COMODO\Firewall\cfp.exe" [03/15/2008 07:34 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [08/04/2004 02:56 AM]

C:\Documents and Settings\Derek Isom\Start Menu\Programs\Startup\
DESKTOP.INI [9/3/2002 10:00:00 AM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"HideLegacyLogonScripts"=0 (0x0)
"HideLogoffScripts"=0 (0x0)
"RunLogonScriptSync"=1 (0x1)
"RunStartupScriptSync"=1 (0x1)
"HideStartupScripts"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)
"NoResolveSearch"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= C:\WINDOWS\system32\guard32.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]
C:\WINDOWS\system32\crnobbo.exe



-- End of Deckard's System Scanner: finished at 2008-03-25 18:55:04 ------------

#12 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:29 AM

Posted 26 March 2008 - 02:50 AM

Let's check a couple more logs...

This one doesn't seem to go:

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ad0d9228-7c95-45b8-b72c-6fcc44617d7b]
C:\WINDOWS\system32\crnobbo.exe

Please download GMER:
  • Unzip it and double-click GMER.exe
  • Click the rootkit-tab and click scan. (do NOT check the box next to "Show All"!)
  • Once done, click Copy.
  • This will copy the results to clipboard.
  • Paste the results in your next reply. :thumbsup:

Hi there, stranger!

#13 She Haunts Me

She Haunts Me
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 26 March 2008 - 07:22 AM

I've got the new log from GMER. I didn't have "Show All" checked like you asked. It's a long log. Should it be this long? Anyway here it is! :thumbsup:



GMER 1.0.14.14205 - http://www.gmer.net
Rootkit scan 2008-03-26 07:19:01
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.14 ----

SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwAdjustPrivilegesToken [0xF4F1CC2E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwConnectPort [0xF4F1C20C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateFile [0xF4F1C84E]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateKey [0xF4F1D3DC]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreatePort [0xF4F1C0FA]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSection [0xF4F1DC94]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwCreateSymbolicLinkObject [0xF4F1CE14]
SSDT F8DC4394 ZwCreateThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteKey [0xF4F1D058]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDeleteValueKey [0xF4F1D208]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwDuplicateObject [0xF4F1BB7C]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwLoadDriver [0xF4F1D934]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenFile [0xF4F1CA58]
SSDT F8DC4380 ZwOpenProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwOpenSection [0xF4F1C6F2]
SSDT F8DC4385 ZwOpenThread
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwRenameKey [0xF4F1D792]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSecureConnectPort [0xF4F1C3CE]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetSystemInformation [0xF4F1DAD4]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSetValueKey [0xF4F1D5A2]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwShutdownSystem [0xF4F1C580]
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwSystemDebugControl [0xF4F1C5E6]
SSDT F8DC438F ZwTerminateProcess
SSDT \SystemRoot\System32\DRIVERS\cmdguard.sys (COMODO Firewall Pro Sandbox Driver/COMODO) ZwTerminateThread [0xF4F1BE92]
SSDT F8DC438A ZwWriteVirtualMemory

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe[240] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 00A25050 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 00A24F80 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 00A21850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 00A21220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 00A213B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ B0, 88 ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] USER32.dll!EndTask 7E459E75 5 Bytes JMP 00A24C20 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] USER32.dll!mouse_event 7E466515 5 Bytes JMP 00A216C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] USER32.dll!keybd_event 7E466559 5 Bytes JMP 00A21540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 00A24950 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe[248] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 00A24AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\ctfmon.exe[264] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\ctfmon.exe[264] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe[576] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\COMODO\Firewall\cmdagent.exe[592] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Spyware Terminator\sp_rsser.exe[652] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\winlogon.exe[768] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\winlogon.exe[768] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\services.exe[812] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\services.exe[812] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\lsass.exe[824] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\lsass.exe[824] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[976] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[976] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1024] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1024] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1120] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1120] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1224] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1224] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\svchost.exe[1400] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\svchost.exe[1400] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\svchost.exe[1432] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\svchost.exe[1432] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\wdfmgr.exe[1548] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\wdfmgr.exe[1548] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\Explorer.EXE[1680] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\Explorer.EXE[1680] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\LEXPPS.EXE[1748] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\system32\spoolsv.exe[1756] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\system32\spoolsv.exe[1756] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe[1980] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\WINDOWS\System32\alg.exe[2280] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\WINDOWS\System32\alg.exe[2280] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] ntdll.dll!NtClose 7C90D586 5 Bytes JMP 10005050 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] USER32.dll!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] USER32.dll!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] USER32.dll!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\Program Files\Mozilla Firefox\firefox.exe[2424] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 10004F80 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] USER32.DLL!EndTask 7E459E75 5 Bytes JMP 10004C20 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] USER32.DLL!mouse_event 7E466515 5 Bytes JMP 100016C0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] USER32.DLL!keybd_event 7E466559 5 Bytes JMP 10001540 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] GDI32.dll!BitBlt 77F16F89 5 Bytes JMP 10001850 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] GDI32.dll!CreateDCA 77F1B221 5 Bytes JMP 10001220 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] GDI32.dll!CreateDCW 77F1BE61 2 Bytes JMP 100013B0 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] GDI32.dll!CreateDCW + 3 77F1BE64 2 Bytes [ 0E, 98 ]
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] ole32.dll!CoCreateInstanceEx 774FFA6B 5 Bytes JMP 10004950 C:\WINDOWS\system32\guard32.dll
.text C:\Documents and Settings\Derek Isom\Desktop\gmer.exe[3300] ole32.dll!CoGetClassObject 77515DB2 5 Bytes JMP 10004AC0 C:\WINDOWS\system32\guard32.dll

---- Kernel IAT/EAT - GMER 1.0.14 ----

IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [F8538990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F8538990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F8538990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F8538990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F8538990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisDeregisterProtocol] [F8538990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\nwlnkipx.sys[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F8538950] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F8538990] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F8538710] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)
IAT \SystemRoot\System32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F8538770] inspect.sys (COMODO Firewall Pro Firewall Driver/COMODO)

---- Devices - GMER 1.0.14 ----

AttachedDevice \Driver\Tcpip \Device\Ip cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Tcp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\Udp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \Driver\Tcpip \Device\RawIp cmdhlp.sys (COMODO Firewall Pro Helper Driver/COMODO)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)

---- Registry - GMER 1.0.14 ----

Reg HKLM\SOFTWARE\Classes\.disabled@ SpybotSD.DisabledFile
Reg HKLM\SOFTWARE\Classes\.sbe@ SpybotSD.SBEFile
Reg HKLM\SOFTWARE\Classes\.sbi@ SpybotSD.SBIFile
Reg HKLM\SOFTWARE\Classes\.sbs@ SpybotSD.SBSFile
Reg HKLM\SOFTWARE\Classes\.tnfo@ SpybotSD.TInfoFile
Reg HKLM\SOFTWARE\Classes\.uti@ SpybotSD.UTIFile
Reg HKLM\SOFTWARE\Classes\.uts@ SpybotSD.UTSFile
Reg HKLM\SOFTWARE\Classes\.ymg@ YPager.Messenger
Reg HKLM\SOFTWARE\Classes\.ymg@Content Type application/ymsgr
Reg HKLM\SOFTWARE\Classes\.yps@ YPager.Messenger
Reg HKLM\SOFTWARE\Classes\.yps@Content Type application/ymsgr
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard@ AudioWizard Class
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard\CLSID
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard\CLSID@ {41695A8E-6414-11D4-8FB3-00D0B7730277}
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard\CurVer
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard\CurVer@ Asw.AudioWizard.1
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard.1@ AudioWizard Class
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard.1\CLSID
Reg HKLM\SOFTWARE\Classes\Asw.AudioWizard.1\CLSID@ {41695A8E-6414-11D4-8FB3-00D0B7730277}
Reg HKLM\SOFTWARE\Classes\ft60.YFT@ CYFT Object
Reg HKLM\SOFTWARE\Classes\ft60.YFT\CLSID
Reg HKLM\SOFTWARE\Classes\ft60.YFT\CLSID@ {24F3EAD6-8B87-4C1A-97DA-71C126BDA08F}
Reg HKLM\SOFTWARE\Classes\ft60.YFT\CurVer
Reg HKLM\SOFTWARE\Classes\ft60.YFT\CurVer@ ft60.YFT.1
Reg HKLM\SOFTWARE\Classes\ft60.YFT.1@ CYFT Object
Reg HKLM\SOFTWARE\Classes\ft60.YFT.1\CLSID
Reg HKLM\SOFTWARE\Classes\ft60.YFT.1\CLSID@ {24F3EAD6-8B87-4C1A-97DA-71C126BDA08F}
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj@ IEEhncrObj Class
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj\CLSID
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj\CLSID@ {0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj\CurVer
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj\CurVer@ IEEnhancer.IEEhncrObj.1
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj.1@ IEEhncrObj Class
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj.1\CLSID
Reg HKLM\SOFTWARE\Classes\IEEnhancer.IEEhncrObj.1\CLSID@ {0B90AA1B-F649-44C3-9FD3-736C332CBBCF}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame@ BottomFrame Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CLSID@ {F3155057-4C2C-4078-8576-50486693FD49}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame\CurVer@ IMIToolbar.BottomFrame.1
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame.1@ BottomFrame Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame.1\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.BottomFrame.1\CLSID@ {F3155057-4C2C-4078-8576-50486693FD49}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame@ LeftFrame Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CLSID@ {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame\CurVer@ IMIToolbar.LeftFrame.1
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame.1@ LeftFrame Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame.1\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.LeftFrame.1\CLSID@ {E2BF1BF3-1FDB-4C93-8874-0B09E71C594C}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser@ PopupBrowser Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CLSID@ {1C896551-8B92-4907-8C06-15DB2D1F874A}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser\CurVer@ IMIToolbar.PopupBrowser.1
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1@ PopupBrowser Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupBrowser.1\CLSID@ {1C896551-8B92-4907-8C06-15DB2D1F874A}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow@ PopupWindow Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CLSID@ {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow\CurVer@ IMIToolbar.PopupWindow.1
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow.1@ PopupWindow Class
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow.1\CLSID
Reg HKLM\SOFTWARE\Classes\IMIToolbar.PopupWindow.1\CLSID@ {D36F70B1-7DF5-4FD4-A765-70CCC8F72CD7}
Reg HKLM\SOFTWARE\Classes\KEYACTIVEX.KeyActivexCtrl.1@ KeyActivex Control
Reg HKLM\SOFTWARE\Classes\KEYACTIVEX.KeyActivexCtrl.1\CLSID
Reg HKLM\SOFTWARE\Classes\KEYACTIVEX.KeyActivexCtrl.1\CLSID@ {A16E6189-A1DD-4696-9806-0324C145D794}
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog@ Microsoft Common Dialog Control, version 6.0
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog\CLSID@ {F9043C85-F6F2-101A-A3C9-08002B2F49FB}
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog\CurVer@ MSComDlg.CommonDialog.1
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog.1@ Microsoft Common Dialog Control, version 6.0
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID
Reg HKLM\SOFTWARE\Classes\MSComDlg.CommonDialog.1\CLSID@ {F9043C85-F6F2-101A-A3C9-08002B2F49FB}
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile@ Disabled startup file
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\blindman.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.DisabledFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\blindman.exe" %1
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile@ Spyware exclude file
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBEFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" %1
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile@ Spyware include file
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBIFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" %1
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile@ Spyware supplemental file
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.SBSFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" %1
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile@ Internal informations
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.TInfoFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" %1
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile@ Usage tracks include file
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTIFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" %1
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile@ Usage tracks supplemental file
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\DefaultIcon
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\DefaultIcon@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe",0
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell\open
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell\open\command
Reg HKLM\SOFTWARE\Classes\SpybotSD.UTSFile\shell\open\command@ "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" %1
Reg HKLM\SOFTWARE\Classes\StockView.StockView@ StockView Class
Reg HKLM\SOFTWARE\Classes\StockView.StockView\CurVer
Reg HKLM\SOFTWARE\Classes\StockView.StockView\CurVer@ StockView.StockView.1
Reg HKLM\SOFTWARE\Classes\StockView.StockView.1@ StockView Class
Reg HKLM\SOFTWARE\Classes\StockView.StockView.1\CLSID
Reg HKLM\SOFTWARE\Classes\StockView.StockView.1\CLSID@ {8D4B0BE1-C02E-11D2-A33D-00A0C94B8D0E}
Reg HKLM\SOFTWARE\Classes\SWRT01.RT@ SWRT01.RT
Reg HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid
Reg HKLM\SOFTWARE\Classes\SWRT01.RT\Clsid@ {8940E505-72C6-44DE-BE85-1D746780EFBF}
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp@ Trident Spell Checking
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp\CLSID
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp\CLSID@ {4028f6c7-98b5-11cf-bb82-00aa00bdce0b}
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp\CurVer
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp\CurVer@ Trident.MshtmlSp.1
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp.1@ Trident Spell Checking
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp.1\CLSID
Reg HKLM\SOFTWARE\Classes\Trident.MshtmlSp.1\CLSID@ {4028f6c7-98b5-11cf-bb82-00aa00bdce0b}
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch@ URLSearch Class
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch\CLSID
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch\CLSID@ {965A592F-8EFA-4250-8630-7960230792F1}
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch\CurVer
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch\CurVer@ URLSearch.URLSearch.1
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch.1@ URLSearch Class
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch.1\CLSID
Reg HKLM\SOFTWARE\Classes\URLSearch.URLSearch.1\CLSID@ {965A592F-8EFA-4250-8630-7960230792F1}
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete@ YAddBook Class
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete\CLSID
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete\CLSID@ {B9191F79-5613-4C76-AA2A-398534BB8999}
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete\CurVer
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete\CurVer@ YAddBook.YAutoComplete.1
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete.1@ YAddBook Class
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete.1\CLSID
Reg HKLM\SOFTWARE\Classes\YAddBook.YAutoComplete.1\CLSID@ {B9191F79-5613-4C76-AA2A-398534BB8999}
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf@ Yahoo! Audio Conferencing
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf\CLSID@ {2B323CD9-50E3-11D3-9466-00A0C9700498}
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf\CurVer
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf\CurVer@ Yahoo.AudioConf.1
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf.1@ Yahoo! Audio Conferencing
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf.1\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioConf.1\CLSID@ {2B323CD9-50E3-11D3-9466-00A0C9700498}
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider@ Yahoo! Audio Slider
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider\CLSID@ {EC1831E0-C231-11D3-87A8-009027A35D73}
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider\CurVer
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider\CurVer@ Yahoo.AudioSlider.1
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider.1@ Yahoo! Audio Slider
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider.1\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioSlider.1\CLSID@ {EC1831E0-C231-11D3-87A8-009027A35D73}
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1@ Yahoo! Audio UI1
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1\CLSID@ {7D1E9C49-BD6A-11D3-87A8-009027A35D73}
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1\CurVer
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1\CurVer@ Yahoo.Audio UI1.1
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1.1@ Yahoo! Audio UI1
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1.1\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.AudioUI1.1\CLSID@ {7D1E9C49-BD6A-11D3-87A8-009027A35D73}
Reg HKLM\SOFTWARE\Classes\Yahoo.CpnPopupBlockerUI@ CpnPopupBlockerUI Class
Reg HKLM\SOFTWARE\Classes\Yahoo.CpnPopupBlockerUI\CurVer
Reg HKLM\SOFTWARE\Classes\Yahoo.CpnPopupBlockerUI\CurVer@ Yahoo.CpnPopupBlockerUI.1
Reg HKLM\SOFTWARE\Classes\Yahoo.CpnPopupBlockerUI.1@ CpnPopupBlockerUI Class
Reg HKLM\SOFTWARE\Classes\Yahoo.CpnPopupBlockerUI.1\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.CpnPopupBlockerUI.1\CLSID@ {FA6B091D-0CE2-4EDD-806D-A34306045456}
Reg HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin@ PopupBlocker Class
Reg HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin\CurVer
Reg HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin\CurVer@ Yahoo.PopupBlockerPlugin.4
Reg HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin.4@ PopupBlocker Class
Reg HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin.4\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.PopupBlockerPlugin.4\CLSID@ {1147DC83-6208-4dca-8E88-DD45BAAB3043}
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter@ Yahoo! VU Meter
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter\CLSID@ {EB54205E-BF1F-11D3-87A8-009027A35D73}
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter\CurVer
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter\CurVer@ Yahoo.VuMeter.1
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter.1@ Yahoo! VU Meter
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter.1\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo.VuMeter.1\CLSID@ {EB54205E-BF1F-11D3-87A8-009027A35D73}
Reg HKLM\SOFTWARE\Classes\Yahoo3.Yahoo3@ Yahoo Class
Reg HKLM\SOFTWARE\Classes\Yahoo3.Yahoo3\CurVer
Reg HKLM\SOFTWARE\Classes\Yahoo3.Yahoo3\CurVer@ Yahoo3.Yahoo3.1
Reg HKLM\SOFTWARE\Classes\Yahoo3.Yahoo3.1@ Yahoo Class
Reg HKLM\SOFTWARE\Classes\Yahoo3.Yahoo3.1\CLSID
Reg HKLM\SOFTWARE\Classes\Yahoo3.Yahoo3.1\CLSID@ {29F46F81-4B2A-11D1-9BCE-00A0C96ED13A}
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge@ YahooBridge Class
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge\CLSID
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge\CLSID@ {58916BE6-BAFF-4f33-AEFE-B2AA03FE4C86}
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge\CurVer
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge\CurVer@ YahooBridgeLib.YahooBridge.1
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge.1@ YahooBridge Class
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge.1\CLSID
Reg HKLM\SOFTWARE\Classes\YahooBridgeLib.YahooBridge.1\CLSID@ {58916BE6-BAFF-4f33-AEFE-B2AA03FE4C86}
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert@ YAlert Class
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert\CLSID
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert\CLSID@ {97D85205-80CF-4b71-90A5-D220DA4FEE58}
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert\CurVer
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert\CurVer@ YAlertCenter.YAlert.1
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert.1@ YAlert Class
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert.1\CLSID
Reg HKLM\SOFTWARE\Classes\YAlertCenter.YAlert.1\CLSID@ {97D85205-80CF-4b71-90A5-D220DA4FEE58}
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin@ YbSkin Class
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin\CLSID
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin\CLSID@ {3D5D83B0-47DC-4862-93D6-3E827A14AED1}
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin\CurVer
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin\CurVer@ YbSkin.YbSkin.1
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin.1@ YbSkin Class
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin.1\CLSID
Reg HKLM\SOFTWARE\Classes\YbSkin.YbSkin.1\CLSID@ {3D5D83B0-47DC-4862-93D6-3E827A14AED1}
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector@ SkinSelector Class
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector\CLSID
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector\CLSID@ {2018C303-E3F2-4455-AA1A-773F84F10902}
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector\CurVer
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector\CurVer@ YbSkinSelect.SkinSelector.1
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector.1@ SkinSelector Class
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector.1\CLSID
Reg HKLM\SOFTWARE\Classes\YbSkinSelect.SkinSelector.1\CLSID@ {2018C303-E3F2-4455-AA1A-773F84F10902}
Reg HKLM\SOFTWARE\Classes\YCrypto.YCrypto@ YCrypto Class
Reg HKLM\SOFTWARE\Classes\YCrypto.YCrypto\CurVer
Reg HKLM\SOFTWARE\Classes\YCrypto.YCrypto\CurVer@ YCrypto.YCrypto.1
Reg HKLM\SOFTWARE\Classes\YCrypto.YCrypto.1@ YCrypto Class
Reg HKLM\SOFTWARE\Classes\YCrypto.YCrypto.1\CLSID
Reg HKLM\SOFTWARE\Classes\YCrypto.YCrypto.1\CLSID@ {390CE9F2-C4A0-11D4-8A92-0090271D4F88}
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2@ YSearchSetting2 Class
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2\CLSID
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2\CLSID@ {347B0667-C7ED-429B-BDE3-CC8D3BACAA31}
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2\CurVer
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2\CurVer@ YInstHelper.YSearchSetting2.1
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2.1@ YSearchSetting2 Class
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2.1\CLSID
Reg HKLM\SOFTWARE\Classes\YInstHelper.YSearchSetting2.1\CLSID@ {347B0667-C7ED-429B-BDE3-CC8D3BACAA31}
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl@ BlockerCtrl Class
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl\CLSID
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl\CLSID@ {6E40017D-FB6A-4804-BDE4-3BB09F1719C1}
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl\CurVer
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl\CurVer@ YPUBC.BlockerCtrl.1
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl.1@ BlockerCtrl Class
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl.1\CLSID
Reg HKLM\SOFTWARE\Classes\YPUBC.BlockerCtrl.1\CLSID@ {6E40017D-FB6A-4804-BDE4-3BB09F1719C1}
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore@ DataStore Class
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore\CLSID
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore\CLSID@ {E1A2D448-6334-45ec-8800-6D7F71DC87FC}
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore\CurVer
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore\CurVer@ YPUBC.DataStore.1
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore.1@ DataStore Class
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore.1\CLSID
Reg HKLM\SOFTWARE\Classes\YPUBC.DataStore.1\CLSID@ {E1A2D448-6334-45ec-8800-6D7F71DC87FC}
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList@ StringList Class
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList\CLSID
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList\CLSID@ {11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList\CurVer
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList\CurVer@ YPUBC.StringList.1
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList.1@ StringList Class
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList.1\CLSID
Reg HKLM\SOFTWARE\Classes\YPUBC.StringList.1\CLSID@ {11CB4723-D5A1-4a55-8D1D-5C2679D54CF5}
Reg HKLM\SOFTWARE\Classes\YServer.Component.1@ YServer
Reg HKLM\SOFTWARE\Classes\YServer.Component.1\CLSID
Reg HKLM\SOFTWARE\Classes\YServer.Component.1\CLSID@ {B26DA9C0-7921-11D4-B0F2-0050DA2B3579}
Reg HKLM\SOFTWARE\Classes\YServer.Component.1\CurVer
Reg HKLM\SOFTWARE\Classes\YServer.Component.1\CurVer@ YServer.Component.1
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload@ Yahoo! Webcam Upload
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload\CLSID
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload\CLSID@ {DCE2F8B1-A520-11D4-8FD0-00D0B7730277}
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload\CurVer
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload\CurVer@ YWcUpl.WcUpload.1
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload.1@ Yahoo! Webcam Upload
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload.1\CLSID
Reg HKLM\SOFTWARE\Classes\YWcUpl.WcUpload.1\CLSID@ {DCE2F8B1-A520-11D4-8FD0-00D0B7730277}
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer@ Yahoo! Webcam Viewer
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer\CLSID
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer\CLSID@ {9D39223E-AE8E-11D4-8FD3-00D0B7730277}
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer\CurVer
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer\CurVer@ YWcVwr.WcViewer.1
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer.1@ Yahoo! Webcam Viewer
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer.1\CLSID
Reg HKLM\SOFTWARE\Classes\YWcVwr.WcViewer.1\CLSID@ {9D39223E-AE8E-11D4-8FD3-00D0B7730277}

---- EOF - GMER 1.0.14 ----

#14 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:09:29 AM

Posted 26 March 2008 - 09:19 AM

Nothing that catches my eye there...

Please download FileFind by Atribune and save it to your desktop.
  • Right-click the zip file and click "Extract All"
  • Double-click FileFind.exe to run the tool.
  • Leave the directory setting to C:\
  • Enter this filename for a search:
    • crnobbo.exe
  • As the search finishes, click export and notepad page will open with the results.
  • Copy the contents of both those search results into the next reply. :thumbsup:

Hi there, stranger!

#15 She Haunts Me

She Haunts Me
  • Topic Starter

  • Members
  • 34 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Mordland
  • Local time:01:29 AM

Posted 26 March 2008 - 09:26 AM

Hey Rawe! I ran the FileFind and searched for crnobbo.exe in the C:\ directory and it said it found 0 files in 3070 Directories. I clicked export but it's empty since it found nothing. That can't be good right?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users