Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Spyware On My Computer


  • This topic is locked This topic is locked
6 replies to this topic

#1 pfeid

pfeid

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 14 June 2008 - 04:19 PM

My computer works fine, except that 1/2 inch-long black beetle bugs start to crawl around the screen and begin to virtually eat the icons and opened windows on the desktop. The bugs will temporarily disappear for a minute if I move the mouse. Also, there's en embedded yellow and blue window stating:"Warning! Spyware detected on your computer! Install an antivirus or spyware remover to clean your computer."

Deckard's System Scanner v20071014.68
Run by Administrator on 2008-06-14 03:53:57
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 0.55 GiB (less than 15%) free.


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-14 03:55:56
Platform: Windows 2000 Service Pack 4 (5.00.2195)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINNT\system32\SMSS.EXE
C:\WINNT\system32\WINLOGON.EXE
C:\WINNT\system32\SERVICES.EXE
C:\WINNT\system32\LSASS.EXE
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\lkcitdl.exe
C:\WINNT\system32\lkads.exe
C:\WINNT\system32\lktsrv.exe
D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
C:\WINNT\system32\nisvcloc.exe
C:\Program Files\Efficient Networks\EnterNet 300\app\PPPoEService.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\mstask.exe
C:\WINNT\system32\wbem\WinMgmt.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\pdesk.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe
C:\WINNT\system32\lphc348j0ep3r.exe
C:\Program Files\Efficient Networks\EnterNet 300\app\EnterNet.exe
C:\Documents and Settings\Administrator\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.google.com/ie
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://rd.yahoo.com/customize/sbcydsl/defa.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://rd.yahoo.com/customize/sbcydsl/defa...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://rd.yahoo.com/customize/sbcydsl/defa...hoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com/ie
O1 - Hosts: 205.238.40.1 winmx.com
O1 - Hosts: 205.238.40.1 www.winmx.com
O1 - Hosts: 205.238.40.1 err.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3314.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3315.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3316.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3317.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3318.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1301.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1301.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1302.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1302.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1303.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1303.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1304.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1304.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1305.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1305.winmx.com
O1 - Hosts: 205.238.40.1 c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3524.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3525.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3526.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3527.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3528.z1306.winmx.com
O1 - Hosts: 82.195.155.5 c3529.z1306.winmx.com
O2 - BHO: Yahoo! Companion BHO - {13F537F0-AF09-11d6-9029-0002B31F9E59} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O2 - BHO: CDLPObj Object - {BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA} - C:\WINNT\IECodecPl.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\system32\msdxm.ocx
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Common\ycomp5,0,8,0.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL (file missing)
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [Matrox Powerdesk] C:\WINNT\System32\PDesk.exe /Autolaunch
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [mwc] C:\Program Files\Mouse Wheel Control\mwc.exe
O4 - HKLM\..\Run: [NeroCheck] C:\WINNT\system32\\NeroCheck.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
O4 - HKLM\..\Run: [lphc348j0ep3r] C:\WINNT\system32\lphc348j0ep3r.exe
O4 - HKLM\..\Run: [AXPDefender] C:\Program Files\AXPDefender\AXPDefender.exe
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - (file missing)
O9 - Extra button: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra 'Tools' menuitem: Yahoo! Login - {2499216C-4BA5-11D5-BD9C-000103C116D5} - C:\Program Files\Yahoo!\Common\ylogin.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM
O9 - Extra 'Tools' menuitem: @shdoclc.dll,-864 - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINNT\Web\RELATED.HTM
O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (File Transfer ActiveX Client) - https://secure.logmein.com/activex/RACtrl.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1133716662984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1176595892843
O16 - DPF: {83229950-AD1D-4B94-8304-F56E95AFACF7} (Surgient URA Remote Desktop Client) - http://mathworks.demoservers.com/proxy/srdp.cab
O16 - DPF: {A17E30C4-A9BA-11D4-8673-60DB54C10000} (YahooYMailTo Class) - http://download.yahoo.com/dl/installs/ymail/ymmapi.dll
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll (file missing)
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\system32\dmadmin.exe
O23 - Service: Lookout Citadel Server (LkCitadelServer) - National Instruments, Inc. - C:\WINNT\system32\lkcitdl.exe
O23 - Service: National Instruments PSP Server Locator (lkClassAds) - National Instruments, Inc. - C:\WINNT\system32\lkads.exe
O23 - Service: National Instruments Time Synchronization (lkTimeSync) - National Instruments, Inc. - C:\WINNT\system32\lktsrv.exe
O23 - Service: National Instruments Domain Service (NIDomainService) - National Instruments, Inc. - D:\Program Files\National Instruments\Shared\Security\nidmsrv.exe
O23 - Service: NILM License Manager - Macrovision Corporation - D:\Program Files\National Instruments\Shared\License Manager\Bin\lmgrd.exe
O23 - Service: NI Service Locator (niSvcLoc) - National Instruments Corp. - C:\WINNT\system32\nisvcloc.exe
O23 - Service: PPPoE Service (PPPoEService) - Unknown owner - C:\Program Files\Efficient Networks\EnterNet 300\app\PPPoEService.exe


--
End of file - 13711 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Cdr4_2K - c:\winnt\system32\drivers\cdr4_2k.sys <Not Verified; Roxio; Roxio's CD-R Helper Drivers>
R2 Cdralw2k - c:\winnt\system32\drivers\cdralw2k.sys <Not Verified; Roxio; Roxio's CDRAL>
R2 cvintdrv - c:\winnt\system32\drivers\cvintdrv.sys
R3 DXE101 (Dynex DX-E101 NDIS Driver) - c:\winnt\system32\drivers\dxe101.sys <Not Verified; Best Buy; Dynex DX-E101 PCI adapter>
R3 NTSPPPOE (Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver) - c:\winnt\system32\drivers\ntspppoe.sys <Not Verified; Efficient Networks, Inc.; >
R3 NTSTAP1 - c:\program files\efficient networks\enternet 300\app\ntstap1.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>
R3 RAWESR - c:\program files\efficient networks\enternet 300\app\rawesr.sys <Not Verified; Microsoft Corporation (Sample); Platform SDK Sample Code>
R3 sysrest.sys - c:\winnt\system32\sysrest.sys
R3 TAPBIND - c:\program files\efficient networks\enternet 300\app\tapbind1.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>

S3 Amps2prt (Compatible PS/2 Port Mouse Driver) - c:\winnt\system32\drivers\amps2prt.sys <Not Verified; (Standard Mouse Types); iWheelWorks Mouse Driver>
S3 NTSTAP2 - c:\program files\efficient networks\enternet 300\app\ntstap2.sys <Not Verified; Network TeleSystems, Inc.; TCP Pro>


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 PPPoEService (PPPoE Service) - c:\progra~1\effici~1\entern~1\app\pppoeservice.exe

S3 NILM License Manager - "d:\program files\national instruments\shared\license manager\bin\lmgrd.exe" <Not Verified; Macrovision Corporation; >


-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00951028&REV_78\4&24AB0D93&0&60F0
Manufacturer: 3Com
Name: 3Com 3C920 Integrated Fast Ethernet Controller (3C905C-TX Compatible)
PNP Device ID: PCI\VEN_10B7&DEV_9200&SUBSYS_00951028&REV_78\4&24AB0D93&0&60F0
Service: EL90BC

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Efficient Networks Enternet P.P.P.o.E Adapter
Device ID: ROOT\NET\0001
Manufacturer: Efficient Networks
Name: Efficient Networks Enternet P.P.P.o.E Adapter #2
PNP Device ID: ROOT\NET\0001
Service: NTSPPPOE

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Efficient Networks Enternet P.P.P.o.E Adapter
Device ID: ROOT\NET\0002
Manufacturer: Efficient Networks
Name: Efficient Networks Enternet P.P.P.o.E Adapter #3
PNP Device ID: ROOT\NET\0002
Service: NTSPPPOE


-- Files created between 2008-05-14 and 2008-06-14 -----------------------------

2008-06-13 23:39:17 91700 --a------ C:\WINNT\system32\drivers\klin.dat
2008-06-13 23:39:17 85860 --a------ C:\WINNT\system32\drivers\klick.dat
2008-06-13 23:38:28 0 d-------- C:\Program Files\Kaspersky Lab
2008-06-13 23:38:28 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab
2008-06-13 23:31:38 2080 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-06-13 23:31:38 3008800 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-06-13 23:29:17 0 d-------- C:\kav
2008-06-13 20:06:16 68096 --a------ C:\WINNT\zip.exe
2008-06-13 20:06:16 49152 --a------ C:\WINNT\VFind.exe
2008-06-13 20:06:16 212480 --a------ C:\WINNT\swxcacls.exe <Not Verified; SteelWerX; SteelWerX Extended Configurator ACLists>
2008-06-13 20:06:16 136704 --a------ C:\WINNT\swsc.exe <Not Verified; SteelWerX; SteelWerX Service Controller>
2008-06-13 20:06:16 161792 --a------ C:\WINNT\swreg.exe <Not Verified; SteelWerX; SteelWerX Registry Editor>
2008-06-13 20:06:16 98816 --a------ C:\WINNT\sed.exe
2008-06-13 20:06:16 80412 --a------ C:\WINNT\grep.exe
2008-06-13 20:06:16 89504 --a------ C:\WINNT\fdsv.exe <Not Verified; Smallfrogs Studio; >
2008-06-11 18:28:10 0 d-------- C:\Documents and Settings\Administrator\Application Data\AXPFixer
2008-06-10 20:47:16 0 d-------- C:\Documents and Settings\Administrator\Application Data\AXPDefender
2008-06-08 11:42:09 0 d-a------ C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2008-06-08 11:10:57 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-08 11:10:04 0 d-------- C:\Program Files\AVG
2008-06-08 11:10:04 0 d-------- C:\Documents and Settings\All Users.WINNT\Application Data\avg8
2008-06-08 11:08:13 0 d-------- C:\WINNT\winsxs
2008-06-08 10:24:59 0 d-------- C:\Documents and Settings\Administrator\Application Data\shc548j0ep3r
2008-06-08 10:18:35 52736 --a------ C:\WINNT\system32\blphc348j0ep3r.scr <Not Verified; Peter's Productions; Bugs!>
2008-06-08 10:09:12 92160 --a------ C:\WINNT\system32\lphc348j0ep3r.exe
2008-06-02 20:32:43 10752 --a------ C:\WINNT\system32\ff_vfw.dll
2008-06-02 20:32:39 0 d-------- C:\Program Files\K-Lite Codec Pack
2008-06-02 20:31:02 0 d-------- C:\WINNT\system32\quicktime
2008-06-02 20:06:38 0 d-------- C:\Program Files\Common Files\Download Manager


-- Find3M Report ---------------------------------------------------------------

2008-06-14 03:13:02 111616 --a------ C:\WINNT\IECodecPl.dll <Not Verified; DLP; DLP>
2008-06-14 01:29:25 385024 --a------ C:\WINNT\system32\WinNB58.dll <Not Verified; ; MBar IES AFF ATD>
2008-06-14 01:06:36 363980 --a----c- C:\WINNT\1-fe5e180d56ed9c233080898276c260cc.exe
2008-06-13 23:34:41 1186492 ---h----- C:\WINNT\ShellIconCache
2008-06-08 11:26:13 374 --a------ C:\Documents and Settings\Administrator\Application Data\internaldb6334.dat
2008-06-08 10:36:25 18432 --a------ C:\Documents and Settings\Administrator\Application Data\internaldb41.dat
2008-06-08 10:36:20 555 --a------ C:\Documents and Settings\Administrator\Application Data\internaldb8467.dat
2008-06-02 20:06:38 0 d-a------ C:\Program Files\Common Files
2008-05-30 14:19:54 0 d-------- C:\Program Files\Liberty BASIC v4.03
2008-05-08 19:17:09 0 d-------- C:\Program Files\Just BASIC v1.01
2008-05-02 16:37:41 0 d-------- C:\Program Files\proe2001
2008-04-30 19:37:30 7037 --a------ C:\WINNT\mozver.dat
2008-04-22 23:56:12 0 d-------- C:\Program Files\Common Files\Adobe
2008-04-22 22:44:29 0 d-------- C:\Program Files\Snapshot Viewer
2008-04-22 19:26:41 0 d-------- C:\Documents and Settings\Administrator\Application Data\LimeWire


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BE2ED590-CA49-46B5-8CCE-244FB2E0D1AA}]
08-06-14 03:13 111616 --a------ C:\WINNT\IECodecPl.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 C:\WINNT\system32\mobsync.exe]
"Matrox Powerdesk"="C:\WINNT\System32\PDesk.exe" [00-02-11 14:26 ]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05-12-09 01:30 ]
"mwc"="C:\Program Files\Mouse Wheel Control\mwc.exe" []
"NeroCheck"="C:\WINNT\system32\\NeroCheck.exe" [01-07-09 05:50 ]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-08-01 20:42 ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 ]
"lphc348j0ep3r"="C:\WINNT\system32\lphc348j0ep3r.exe" [08-06-08 10:09 ]
"AXPDefender"="C:\Program Files\AXPDefender\AXPDefender.exe" []
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08-02-08 18:36 ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08-02-08 18:36 ]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 ]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispBackgroundPage"=1 (0x1)
"NoDispScrSavPage"=1 (0x1)
"disableregistrytools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\PSEXESVC]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sglfb.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\tga.sys]
@="Driver"

*Newly Created Service* - KL1



-- Hosts -----------------------------------------------------------------------

205.238.40.1 winmx.com
205.238.40.1 www.winmx.com
205.238.40.1 err.winmx.com
205.238.40.1 c3310.z1301.winmx.com
205.238.40.1 c3311.z1301.winmx.com
205.238.40.1 c3312.z1301.winmx.com
205.238.40.1 c3313.z1301.winmx.com
205.238.40.1 c3314.z1301.winmx.com
82.195.155.5 c3315.z1301.winmx.com
82.195.155.5 c3316.z1301.winmx.com

53 more entries in hosts file.


-- End of Deckard's System Scanner: finished at 2008-06-14 03:57:51 ------------

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows 2000 Professional (build 2195) SP 4.0
Architecture: X86; Language: English

CPU 0: Intel Pentium III processor
Percentage of Memory in Use: 52%
Physical Memory (total/avail): 255.17 MiB / 121.05 MiB
Pagefile Memory (total/avail): 617.42 MiB / 488.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1939.13 MiB

A: is Removable (No Media)
C: is Fixed (NTFS) - 3.99 GiB total, 0.55 GiB free.
D: is Fixed (NTFS) - 7.81 GiB total, 2.18 GiB free.
E: is Fixed (NTFS) - 6.81 GiB total, 0.29 GiB free.
F: is CDROM (No Media)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 5T020H2 - 18.62 GiB - 3 partitions
\PARTITION0 - Extended Partition - 3.99 GiB - C:
\PARTITION1 (bootable) - Installable File System - 7.81 GiB - D:
\PARTITION2 - Installable File System - 6.81 GiB - E:



-- Security Center -------------------------------------------------------------

AUOptions is scheduled to auto-install.


-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users.WINNT
APPDATA=C:\Documents and Settings\Administrator\Application Data
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=PAT
ComSpec=C:\WINNT\system32\cmd.exe
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Administrator
KMP_DUPLICATE_LIB_OK=TRUE
LOGONSERVER=\\PAT
MKL_SERIAL=YES
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Os2LibPath=C:\WINNT\system32\os2\dll;
Path=C:\WINNT\system32;C:\WINNT;C:\WINNT\system32\wbem;C:\Program Files\proe2001\bin;C:\WINNT\system32;C:\WINNT;C:\WINNT\System32\Wbem;C:\Program Files\proe2001\bin;C:\Program Files\flexlm\bin
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 8 Stepping 3, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0803
ProgramFiles=C:\Program Files
PROMPT=$P$G
SystemDrive=C:
SystemRoot=C:\WINNT
TEMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
TMP=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp
USERDOMAIN=PAT
USERNAME=Administrator
USERPROFILE=C:\Documents and Settings\Administrator
windir=C:\WINNT


-- User Profiles ---------------------------------------------------------------

Administrator (admin)


-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Adobe Acrobat 4.0 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Common Files\Adobe\Acrobat 4.0\NT\Uninst.isu"
CompositePro --> C:\Program Files\CompositePro\uninstall.exe
Conquest 3.0 --> "C:\Program Files\Conquest\unins000.exe"
CPC Lite Plugin --> C:\WINNT\UnCpcVw.exe CPC View Plugin
DesignFOIL R5.32 Demo --> C:\WINNT\st6unst.exe -n "C:\Program Files\DesignFOIL\ST6UNST.LOG"
EnterNet 300 --> C:\WINNT\IsUninst.exe -f"C:\Program Files\Efficient Networks\EnterNet 300\Uninst.isu" -c"C:\Program Files\Efficient Networks\EnterNet 300\NTSUninstall.dll"
Flock 1.1 --> C:\Program Files\Flock\uninst.exe
Google Toolbar for Firefox --> MsiExec.exe /X{2CCBABCB-6427-4A55-B091-49864623C43F}
GPL MPEG-1/2 DirectShow Decoder Filter --> MsiExec.exe /I{870815CA-6B60-47B6-88DD-A67F42D2F03E}
Hold'em Analyzer 3.2 --> MsiExec.exe /X{7D127E3D-5E10-4572-BD9D-7B2A74B0ECFA}
Java™ 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
JL Analyzer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{2E502BC8-0CE3-49A8-9E81-DEADFF728209}\setup.exe"
Just BASIC v1.01 --> C:\Program Files\Just BASIC v1.01\uninstall.exe
K-Lite Codec Pack 3.2.5 Standard --> "C:\Program Files\K-Lite Codec Pack\unins000.exe"
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Kaspersky Anti-Virus 7.0 --> MsiExec.exe /I{4B9BB601-13E9-4042-A3BC-E7955BF4A98F}
Liberty BASIC v4.03 --> C:\Program Files\Liberty BASIC v4.03\uninstall.exe
LimeWire 4.12.14 --> "C:\Program Files\LimeWire\uninstall.exe"
Mathematica 5.2 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{568AF0D7-B350-40C1-8035-27CD298040ED}
MathGV 3.1 --> C:\WINNT\uninst.exe -f"C:\Program Files\MathGV\MathGV 3_1\DeIsL1.isu" -c"C:\Program Files\MathGV\MathGV 3_1\_ISREG32.DLL"
Microsoft Internet Explorer 6 SP1 --> rundll32 C:\WINNT\system32\setupwbv.dll,IE6Maintenance C:\Program Files\Internet Explorer\IE Uninstall\W2KEXCP.EXE /u
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{7299052b-02a4-4627-81f2-1818da5d550d}
Mozilla Firefox (1.5) --> C:\Program Files\Mozilla Firefox\uninstall\uninstall.exe /ua "1.5 (en-US)"
MSXML 4.0 SP2 (KB927978) --> MsiExec.exe /I{37477865-A3F1-4772-AD43-AAFC6BCFF99F}
MSXML 4.0 SP2 (KB936181) --> MsiExec.exe /I{C04E32E0-0416-434D-AFB9-6969D703A9EF}
National Instruments Software --> "D:\Program Files\National Instruments\Shared\NIUninstaller\uninst.exe"
Nero - Burning Rom --> MsiExec.exe /X{A4D7B764-4140-11D4-88EB-0050DA3579C0}
Netscape Browser (remove only) --> "C:\Program Files\Netscape\Netscape Browser\NSUninst.exe"
NLREG -- Nonlinear Regression --> C:\WINNT\IsUninst.exe -f"C:\Program Files\NLREG\Uninst.isu"
Pro/ENGINEER Student Edition Release 2001 Datecode 2001150 --> "C:\Program Files\proe2001\uninstall\i486_nt\obj\psuninst.exe" "C:\Program Files\proe2001\uninstall\instlog.txt"
QuickTime Alternative 1.81 --> "D:\Program Files\QuickTime Alternative\unins000.exe"
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
SBC Yahoo! Dial (remove only) --> "C:\WINNT\..\Program Files\SBC Yahoo!\Connection Manager\uninst.exe"
SBC Yahoo! DSL --> C:\PROGRA~1\Yahoo!\browser\unyb.exe
SBC Yahoo! DSL Utilities --> C:\PROGRA~1\Yahoo!\Common\unwise.exe /S C:\PROGRA~1\Yahoo!\Common\install.log
SBC Yahoo! Internet Mail --> C:\WINNT\system32\regsvr32 /u /s C:\WINNT\DOWNLO~1\ymmapi.dll
SBC Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
SBC Yahoo! Parental Controls --> C:\PROGRA~1\Yahoo!\PARENT~1\unypc.exe
Security Update for Windows 2000 (KB923689) --> "C:\WINNT\$NtUninstallKB923689$\spuninst\spuninst.exe"
Security Update for Windows 2000 (KB941569) --> "C:\WINNT\$NtUninstallKB941569$\spuninst\spuninst.exe"
SlowView --> "C:\Program Files\SlowView\Uninstall.exe"
Weather Services --> C:\WINNT\system32\control.exe C:\WINNT\system32\wxfw.cpl,4
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe"
Windows Genuine Advantage v1.3.0254.0 --> MsiExec.exe /I{63569CE9-FA00-469C-AF5C-E5D4D93ACF91}
Windows Media Player 9 Hotfix [See KB885492 for more information] --> C:\WINNT\$NtUninstallKB885492$\spuninst\spuninst.exe
Windows Media Player system update (9 Series) --> C:\PROGRA~1\WINDOW~2\setup_wm.exe /Uninstall
Winfoil V2.2 --> C:\WINNT\uninst.exe -fc:\Winfoil\DeIsL1.isu -cc:\Winfoil\_ISREG32.DLL
WinMX --> C:\Program Files\WinMX\uninstall.exe
WinZip --> "D:\WinZip\WINZIP32.EXE" /uninstall
Wolfram Notebook Indexer 1.1 --> MsiExec.exe /I{E24A7D40-D12E-4A11-8DEC-7BB21BE4614D}
Yahoo! Login --> C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ylogin.dll
Yahoo! Messenger Explorer Bar --> C:\WINNT\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\MESSEN~1\yhexbmes.dll


-- Application Event Log -------------------------------------------------------

Event Record #/Type1368 / Error
Event Submitted/Written: 06/13/2008 11:34:27 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Kaspersky Anti-Virus 7.0 -- You must restart your computer before proceeding with the installation.

Event Record #/Type1366 / Error
Event Submitted/Written: 06/13/2008 11:32:49 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Kaspersky Anti-Virus 7.0 -- You must restart your computer before proceeding with the installation.

Event Record #/Type1363 / Error
Event Submitted/Written: 06/13/2008 11:32:29 PM
Event ID/Source: 10005 / MsiInstaller
Event Description:
Product: Kaspersky Anti-Virus 7.0 -- You must restart your computer before proceeding with the installation.

Event Record #/Type1354 / Error
Event Submitted/Written: 06/08/2008 10:11:50 AM
Event ID/Source: 1000 / Microsoft Internet Explorer
Event Description:
iexplore.exe6.0.2800.1106contenttool.dll2.8.0.0000047c2



-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.


-- System Event Log ------------------------------------------------------------

Event Record #/Type11538 / Error
Event Submitted/Written: 06/14/2008 03:18:26 AM
Event ID/Source: 7000 / Service Control Manager
Event Description:
The Kaspersky Anti-Virus 7.0 service failed to start due to the following error:
%%1053

Event Record #/Type11537 / Error
Event Submitted/Written: 06/14/2008 03:18:26 AM
Event ID/Source: 7009 / Service Control Manager
Event Description:
Timeout (30000 milliseconds) waiting for the Kaspersky Anti-Virus 7.0 service to connect.

Event Record #/Type11536 / Error
Event Submitted/Written: 06/14/2008 03:18:26 AM
Event ID/Source: 7031 / Service Control Manager
Event Description:
The Kaspersky Anti-Virus 7.0 service terminated unexpectedly. It has done this 1 time(s). The following corrective action will be taken in 0 milliseconds: Restart the service.

Event Record #/Type11534 / Warning
Event Submitted/Written: 06/13/2008 11:47:34 PM
Event ID/Source: 2013 / Srv
Event Description:
The E: disk is at or near capacity. You may need to delete some files.

Event Record #/Type11531 / Warning
Event Submitted/Written: 06/13/2008 11:43:30 PM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 00134630F32D. The IP address being used is 169.254.44.115.



-- End of Deckard's System Scanner: finished at 2008-06-14 03:57:51 ------------

%SystemRoot%\system32\ntdll.dll
%SystemRoot%\system32\kernel32.dll
%SystemRoot%\system32\msvcrt.dll
%SystemRoot%\system32\user32.dll
%SystemRoot%\system32\gdi32.dll
%SystemRoot%\system32\shlwapi.dll
%SystemRoot%\system32\advapi32.dll
%SystemRoot%\system32\rpcrt4.dll
%SystemRoot%\system32\shdocvw.dll
%SystemRoot%\system32\crypt32.dll
%SystemRoot%\system32\msasn1.dll
%SystemRoot%\system32\cryptui.dll
%SystemRoot%\system32\wintrust.dll
%SystemRoot%\system32\imagehlp.dll
%SystemRoot%\system32\oleaut32.dll
%SystemRoot%\system32\ole32.dll
%SystemRoot%\system32\netapi32.dll
%SystemRoot%\system32\wininet.dll
%SystemRoot%\system32\wldap32.dll
%SystemRoot%\system32\version.dll
%SystemRoot%\system32\riched20.dll
%SystemRoot%\system32\shell32.dll
%SystemRoot%\system32\comctl32.dll
%SystemRoot%\system32\rpcss.dll
%SystemRoot%\system32\uxtheme.dll
%SystemRoot%\system32\msctf.dll
%SystemRoot%\system32\imm32.dll
%SystemRoot%\system32\browseui.dll
%SystemRoot%\system32\browselc.dll
%SystemRoot%\system32\apphelp.dll
%SystemRoot%\system32\clbcatq.dll
%SystemRoot%\system32\comres.dll
%SystemRoot%\system32\secur32.dll
%SystemRoot%\system32\urlmon.dll
%SystemRoot%\system32\cscui.dll
%SystemRoot%\system32\cscdll.dll
%SystemRoot%\system32\setupapi.dll
%SystemRoot%\system32\mshtml.dll
%SystemRoot%\system32\msls31.dll
%SystemRoot%\system32\shdoclc.dll
%SystemRoot%\system32\xpsp2res.dll
%SystemRoot%\system32\mlang.dll
%SystemRoot%\system32\msi.dll
%SystemRoot%\system32\userenv.dll
%SystemRoot%\system32\sxs.dll
%SystemRoot%\system32\msimtf.dll
%SystemRoot%\system32\url.dll
%SystemRoot%\system32\winmm.dll
%SystemRoot%\system32\drprov.dll
%SystemRoot%\system32\ntlanman.dll
%SystemRoot%\system32\netui0.dll
%SystemRoot%\system32\netui1.dll
%SystemRoot%\system32\netrap.dll
%SystemRoot%\system32\samlib.dll
%SystemRoot%\system32\davclnt.dll
%SystemRoot%\system32\shgina.dll
%SystemRoot%\system32\msgina.dll
%SystemRoot%\system32\winsta.dll
%SystemRoot%\system32\odbc32.dll
%SystemRoot%\system32\odbcint.dll
%SystemRoot%\system32\msacm32.dll
%SystemRoot%\system32\midimap.dll
%SystemRoot%\system32\wsock32.dll
%SystemRoot%\system32\ws2_32.dll
%SystemRoot%\system32\ws2help.dll
%SystemRoot%\system32\mswsock.dll
%SystemRoot%\system32\hnetcfg.dll
%SystemRoot%\system32\wshtcpip.dll
%SystemRoot%\system32\rasapi32.dll
%SystemRoot%\system32\rasman.dll
%SystemRoot%\system32\tapi32.dll
%SystemRoot%\system32\rtutils.dll
%SystemRoot%\system32\msv1_0.dll
%SystemRoot%\system32\iphlpapi.dll
%SystemRoot%\system32\sensapi.dll
%SystemRoot%\system32\rasadhlp.dll
%SystemRoot%\system32\dnsapi.dll
%SystemRoot%\system32\winrnr.dll
%SystemRoot%\system32\jsproxy.dll
%SystemRoot%\system32\jscript.dll
%SystemRoot%\system32\security.dll
%SystemRoot%\system32\atl.dll
%SystemRoot%\system32\shimeng.dll
%SystemRoot%\system32\rsaenh.dll
%SystemRoot%\system32\msvcp60.dll
%SystemRoot%\system32\vbscript.dll
%SystemRoot%\system32\mfc42.dll
%SystemRoot%\system32\iepeers.dll
%SystemRoot%\system32\ddraw.dll
%SystemRoot%\system32\ddrawex.dll
%SystemRoot%\system32\dciman32.dll
%SystemRoot%\system32\mshtmled.dll
%SystemRoot%\system32\inetcpl.cpl
%SystemRoot%\system32\stdole2.tlb
%SystemRoot%\system32\wdmaud.drv
%SystemRoot%\system32\msacm32.drv
%SystemRoot%\system32\winspool.drv
%SystemRoot%\system32\winlogon.exe
%ProgramFiles%\Messenger\msmsgs.exe

BC AdBot (Login to Remove)

 


m

#2 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:59 AM

Posted 15 June 2008 - 01:20 PM

Hello Pfeid and welcome to BleepingComputer,

1. * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Under Browsing History, click Delete.
  • Click Delete Files, Delete cookies and Delete history
  • Click Close below.
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu..
  • Click the Clear now button below.. A new window will popup what to clear.
  • Select all and click the Clear button again.
  • Click OK to close the Options window
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
2. Please download Malwarebytes' Anti-Malware from Here or Here

Doubleclick mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

3. Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure you read this guide carefully and install the Recovery Console first (not for Windows Vista users !).
The Windows Recovery Console will allow you to boot up into a special recovery mode, in case your computer has a problem after an attempted removal of malware. This allows us to help you. (WinXP SP3 users, please download the appropriate SP2 file, Home or Pro, to install the RC)

In the event you already have Combofix, delete your current version and download the latest version as described in the tutorial.
It must be saved directly to your desktop.


Note: Make sure not to click ComboFix's window while it's running. That may cause it to stall or freeze.

Please post the log from ComboFix (can also be found as C:\ComboFix.txt) in your next reply. :thumbsup:

If you have any questions along the way, STOP and ask them before proceeding !!

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#3 pfeid

pfeid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 22 June 2008 - 10:06 PM

I followed Thunder's instructions. Here are Malwarebytes' and ComboFix's logs:

Malwarebytes' Anti-Malware 1.18
Database version: 879

15:46:10 2008-06-22
mbam-log-6-22-2008 (15-46-10).txt

Scan type: Quick Scan
Objects scanned: 37549
Time elapsed: 21 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 24
Registry Values Infected: 2
Registry Data Items Infected: 3
Folders Infected: 24
Files Infected: 277

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CLASSES_ROOT\CLSID\{5015bf9d-173c-474b-9af3-77d4d23a4135} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{5ed7d3de-6dbe-4516-8712-01b1b64b7057} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{85e0b171-04fa-11d1-b7da-00a0c90348a7} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{92c3f342-45da-4511-853a-b3836aaff5f5} (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{90b5a95a-afd5-4d11-b9bd-a69d53d22226} (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{8109fd3d-d891-4f80-8339-50a4913ace6f} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{85e06077-c824-43d0-a8dc-5efb17bc348a} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{5937cd7f-1c0b-41e1-9075-60ebdf3c7d34} (Adware.Zango) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b1e22eb8-2ae8-4e8e-96ae-74f2a1764533} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{bdbebf18-7615-4971-9ac3-bd6ffb7ad6c1} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be2ed590-ca49-46b5-8cce-244fb2e0d1aa} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be2ed590-ca49-46b5-8cce-244fb2e0d1aa} (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dlp.dlpobj.1 (Adware.WebDir) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\UpMedia (Adware.SmartShopper) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Software Notifier (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Weather Services (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\{9a9c9b68-f908-4aab-8d0c-10ea8997f37e} (Adware.Mirar) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\ (Adware.WebDir) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\StartMenuLogOff (Hijack.StartMenu) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispBackgroundPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\NoDispScrSavPage (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Documents and Settings\Administrator\Application Data\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\BrowserObjects (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPDefender\AXPDefender\Quarantine\Packages (Rogue.AdvancedXPDefender) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKCU\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\HKLM\RunOnce (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuAllUsers (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Autorun\StartMenuCurrentUser (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\BrowserObjects (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Application Data\AXPFixer\AXPFixer\Quarantine\Packages (Rogue.AdvancedXPFixer) -> Quarantined and deleted successfully.

Files Infected:
C:\WINNT\IECodecPl.dll (Adware.WebDir) -> Quarantined and deleted successfully.
C:\WINNT\system32\101.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\102.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\104.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\105.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\106.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\107.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\108.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\10A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\10D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\110.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\111.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\112.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\113.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\114.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\116.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\117.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\118.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\11A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\11B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\11C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\11D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\11E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\121.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\123.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\125.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\129.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\12D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\131.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\135.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\138.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\139.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\13B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\13E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\13F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\141.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\142.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\145.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\148.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\14B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\14D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\14E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\14F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\151.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\153.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\154.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\156.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\157.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\159.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\15A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\15C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\15D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\15F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\160.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\162.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\163.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\165.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\166.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\169.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\16A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\16F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\17.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\172.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\175.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\182.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\19B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\19E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1A1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1A4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1A7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1AA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1B2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1B5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1B8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1BB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1BC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1BE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1BF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1C1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1C2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1C5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1C6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1C9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1CA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1CC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1CF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1D2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1D4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1D5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\1FD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\20.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\200.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\203.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\208.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\20B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\20E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\211.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\214.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\217.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\21A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\23.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\24.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\242.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\25.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\255.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\25A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\26.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\261.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\264.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\29.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\2C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\2F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\30.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\31.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\33.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\36.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\37.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\39.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\3F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\40.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\41.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\43.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\46.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\4A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\4C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\4D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\4E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\50.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\51.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\53.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\54.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\55.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\58.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\59.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\5C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\5D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\5E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\5F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\60.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\61.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\62.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\63.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\65.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\66.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\67.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\68.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\69.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\6A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\6B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\6C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\6D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\6E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\6F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\70.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\71.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\72.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\73.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\74.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\75.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\76.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\77.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\78.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\79.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\7A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\7B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\7C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\7D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\7E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\7F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\80.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\81.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\82.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\83.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\84.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\85.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\86.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\87.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\88.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\89.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\8A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\8B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\8C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\8D.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\8E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\8F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\90.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\91.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\92.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\93.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\94.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\95.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\96.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\97.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\98.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\99.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\9A.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\9B.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\9C.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\9E.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\9F.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\A0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\A5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\A6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\A7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\A8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\A9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\AA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\AB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\AE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\B3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\B6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\B7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\B9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\BC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\BD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\BF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\blphc348j0ep3r.scr (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\C0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\C1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\C4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\C6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\C7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\C8.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\CA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\CB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\CD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\D2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\D7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\D9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\DA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\DB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\DC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\DD.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\DE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\DF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E1.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E2.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E5.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E7.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\E9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\EA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\EB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\EC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\ED.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\EF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\F0.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\F3.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\F4.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\F6.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\F9.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\FA.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\FB.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\FC.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\FE.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\system32\FF.tmp (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINNT\1-fe5e180d56ed9c233080898276c260cc.exe (Adware.SmartShopper) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\dat63.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt4.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt5.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt6.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt7.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.tt8.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttA.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttD.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Administrator\Local Settings\Temp\.ttF.tmp (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINNT\system32\sysrest.sys (Rootkit.Agent) -> Quarantined and deleted successfully.
C:\WINNT\system32\sysrest32.exe (Rootkit.Agent) -> Delete on reboot.

ComboFix 08-06-20.4 - Administrator 2008-06-22 9:21:01.2 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.130 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Application Data\Microsoft\Internet Explorer\Quick Launch\Malware Protector 2008.lnk
C:\Documents and Settings\Administrator\Application Data\rhc748j0ep3r
C:\Documents and Settings\Administrator\Application Data\shc548j0ep3r
C:\Documents and Settings\All Users.WINNT\Desktop\Malware Protector 2008.lnk
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Malware Protector 2008
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Malware Protector 2008.lnk
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Malware Protector 2008\How to Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Malware Protector 2008\License Agreement.lnk
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Malware Protector 2008\Malware Protector 2008.lnk
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Malware Protector 2008\Register Malware Protector 2008.lnk
C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Malware Protector 2008\Uninstall.lnk
C:\Program Files\shc548j0ep3r
C:\RECYCLER\desktopA.sys
C:\WINNT\system32\blphc348j0ep3r.scr
C:\WINNT\system32\lphc348j0ep3r.exe
C:\WINNT\system32\phc348j0ep3r.bmp
C:\WINNT\system32\pphc348j0ep3r.exe
C:\WINNT\system32\winnb58.dll
C:\WINNT\Web\default.htt

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_SYSREST.SYS


((((((((((((((((((((((((( Files Created from 2008-05-22 to 2008-06-22 )))))))))))))))))))))))))))))))
.

2008-06-22 20:16 . 08-06-22 19:56 52,736 --a------ C:\WINNT\system32\A4.tmp
2008-06-22 19:55 . 08-06-22 19:40 52,736 --a------ C:\WINNT\system32\A0.tmp
2008-06-22 19:40 . 08-06-22 19:27 52,736 --a------ C:\WINNT\system32\9C.tmp
2008-06-22 19:27 . 08-06-22 19:15 52,736 --a------ C:\WINNT\system32\93.tmp
2008-06-22 19:15 . 08-06-22 19:04 52,736 --a------ C:\WINNT\system32\8E.tmp
2008-06-22 19:04 . 08-06-22 18:52 52,736 --a------ C:\WINNT\system32\8A.tmp
2008-06-22 18:52 . 08-06-22 18:40 52,736 --a------ C:\WINNT\system32\85.tmp
2008-06-22 18:40 . 08-06-22 18:29 52,736 --a------ C:\WINNT\system32\81.tmp
2008-06-22 18:29 . 08-06-22 18:18 52,736 --a------ C:\WINNT\system32\7D.tmp
2008-06-22 18:18 . 08-06-22 18:08 52,736 --a------ C:\WINNT\system32\7A.tmp
2008-06-22 18:08 . 08-06-22 17:57 52,736 --a------ C:\WINNT\system32\75.tmp
2008-06-22 17:57 . 08-06-22 17:47 52,736 --a------ C:\WINNT\system32\71.tmp
2008-06-22 17:47 . 08-06-22 17:37 52,736 --a------ C:\WINNT\system32\6B.tmp
2008-06-22 17:37 . 08-06-22 17:27 52,736 --a------ C:\WINNT\system32\62.tmp
2008-06-22 17:27 . 08-06-22 17:16 52,736 --a------ C:\WINNT\system32\5C.tmp
2008-06-22 17:16 . 08-06-22 17:06 52,736 --a------ C:\WINNT\system32\57.tmp
2008-06-22 15:16 . 08-06-22 15:16 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-22 15:15 . 08-06-22 15:16 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 15:15 . 08-06-22 15:15 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Malwarebytes
2008-06-22 15:15 . 08-06-19 17:48 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-22 15:15 . 08-06-19 17:47 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-06-22 09:31 . 08-06-22 09:31 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\rhc748j0ep3r
2008-06-22 09:17 . 08-06-22 09:34 <DIR> d-------- C:\ComboFix
2008-06-21 09:37 . 08-06-21 09:38 <DIR> d-------- C:\Program Files\rhc748j0ep3r
2008-06-14 03:53 . 08-06-14 03:53 <DIR> d-------- C:\Deckard
2008-06-14 03:53 . 08-06-14 03:53 <DIR> d-------- C:\Deckard
2008-06-13 23:39 . 08-06-13 23:39 91,700 --a------ C:\WINNT\system32\drivers\klin.dat
2008-06-13 23:39 . 08-06-13 23:39 85,860 --a------ C:\WINNT\system32\drivers\klick.dat
2008-06-13 23:38 . 08-06-13 23:38 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-13 23:38 . 08-06-22 15:50 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab
2008-06-13 23:31 . 08-06-22 09:29 3,021,344 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-06-13 23:31 . 08-06-22 09:29 28,472 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-06-13 23:31 . 08-06-22 09:31 18,208 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-06-13 23:31 . 08-06-22 09:29 3,800 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2008-06-13 23:29 . 08-06-13 23:29 <DIR> d-------- C:\kav
2008-06-13 23:29 . 08-06-13 23:29 <DIR> d-------- C:\kav
2008-06-11 19:06 . 08-06-11 19:06 206 --a------ C:\WINNT\system32\MRT.INI
2008-06-08 11:42 . 08-06-11 18:37 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-08 11:42 . 08-06-11 19:34 <DIR> d-a------ C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2008-06-08 11:10 . 08-06-08 11:10 <DIR> d-------- C:\Program Files\AVG
2008-06-08 11:10 . 08-06-08 11:12 <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\avg8
2008-06-08 11:10 . 08-06-08 11:10 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-08 11:08 . 08-06-08 11:08 <DIR> d-------- C:\WINNT\winsxs
2008-06-08 10:41 . 02-05-15 15:16 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-06-08 10:41 . 02-05-15 15:16 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-06-08 10:41 . 02-05-15 15:16 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-06-08 10:41 . 02-05-15 15:16 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-06-08 10:41 . 02-05-15 15:16 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-06-02 20:32 . 08-06-02 20:32 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-02 20:32 . 07-06-03 14:31 10,752 --a------ C:\WINNT\system32\ff_vfw.dll
2008-06-02 20:31 . 08-06-08 13:49 <DIR> d-------- C:\WINNT\system32\quicktime
2008-06-02 20:19 . 08-06-02 20:19 36 ---h----- C:\WINNT\system32\swk.ini
2008-06-02 20:06 . 08-06-02 20:06 <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-08 16:26 374 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb6334.dat
2008-06-08 16:22 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2008-06-08 15:36 555 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb8467.dat
2008-06-08 15:36 18,432 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb41.dat
2008-05-30 19:19 --------- d-----w C:\Program Files\Liberty BASIC v4.03
2008-05-09 00:17 --------- d-----w C:\Program Files\Just BASIC v1.01
2008-05-02 21:37 --------- d-----w C:\Program Files\proe2001
2008-04-30 07:03 791,824 ----a-w C:\WINNT\system32\quartz.dll
2008-04-23 04:56 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-23 03:44 --------- d-----w C:\Program Files\Snapshot Viewer
2008-04-23 00:26 --------- d-----w C:\Documents and Settings\Administrator\Application Data\LimeWire
2008-04-18 13:55 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-03-27 07:13 151,583 ----a-w C:\WINNT\system32\msjint40.dll
2008-03-27 07:06 355,104 ----a-w C:\WINNT\system32\msxbde40.dll
2008-03-27 07:05 838,432 ----a-w C:\WINNT\system32\mswdat10.dll
2008-03-27 07:05 621,344 ----a-w C:\WINNT\system32\mswstr10.dll
2008-03-27 07:05 264,992 ----a-w C:\WINNT\system32\mstext40.dll
2008-03-27 07:04 559,904 ----a-w C:\WINNT\system32\msrepl40.dll
2008-03-27 07:04 432,928 ----a-w C:\WINNT\system32\msrd2x40.dll
2008-03-27 07:04 322,336 ----a-w C:\WINNT\system32\msrd3x40.dll
2008-03-27 07:03 355,104 ----a-w C:\WINNT\system32\mspbde40.dll
2008-03-27 07:03 248,608 ----a-w C:\WINNT\system32\msjtes40.dll
2008-03-27 07:03 219,936 ----a-w C:\WINNT\system32\msltus40.dll
2008-03-27 07:02 60,192 ----a-w C:\WINNT\system32\msjter40.dll
2008-03-27 07:02 355,112 ----a-w C:\WINNT\system32\msjetoledb40.dll
2008-03-27 07:01 1,516,568 ----a-w C:\WINNT\system32\msjet40.dll
2008-03-27 07:00 518,944 ----a-w C:\WINNT\system32\msexch40.dll
2008-03-27 07:00 326,432 ----a-w C:\WINNT\system32\msexcl40.dll
2006-04-02 20:28 6,322 -c--a-w C:\Program Files\DeIsL1.isu
2006-04-02 20:27 147 -c--a-w C:\Program Files\_DEISREG.ISR
2005-12-09 00:58 691 ----a-w C:\Program Files\Super GameHouse Solitaire.lnk
2005-12-09 00:56 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-12-04 17:03 271 ---h--w C:\Program Files\desktop.ini
2005-12-04 17:03 21,952 ---h--w C:\Program Files\folder.htt
2005-08-13 00:24 70,783 -c--a-w C:\Program Files\blokken2005.str
2005-02-13 23:57 66,499 -c--a-w C:\Program Files\blokken2003.str
2000-07-17 03:57 560,128 -c--a-w C:\Program Files\HTMLViewer.exe
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
1999-04-08 16:18 49,152 -c--a-w C:\Program Files\_ISREG32.DLL
2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [08-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [03-06-19 14:05 111376 C:\WINNT\system32\mobsync.exe]
"Matrox Powerdesk"="C:\WINNT\System32\PDesk.exe" [00-02-11 14:26 462848]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [05-12-09 01:30 35328]
"mwc"="C:\Program Files\Mouse Wheel Control\mwc.exe" [ ]
"NeroCheck"="C:\WINNT\system32\\NeroCheck.exe" [01-07-09 05:50 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [07-08-01 20:42 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [08-02-22 04:25 144784]
"sysrest32.exe"="C:\WINNT\system32\sysrest32.exe" [ ]
"SMrhc748j0ep3r"="C:\Program Files\rhc748j0ep3r\rhc748j0ep3r.exe" [08-06-21 13:22 1642496]
"SMshc548j0ep3r"="C:\Program Files\shc548j0ep3r\shc548j0ep3r.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [08-02-08 18:36 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [03-06-19 14:05 186640]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 cvintdrv;cvintdrv;C:\WINNT\system32\drivers\cvintdrv.sys [07-02-21 10:00 ]
R2 PPPoEService;PPPoE Service;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe [00-07-11 11:48 ]
R3 DXE101;Dynex DX-E101 NDIS Driver;C:\WINNT\system32\DRIVERS\DXE101.SYS [04-02-05 15:06 ]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINNT\system32\DRIVERS\klim5.sys [07-12-13 13:28 ]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINNT\system32\DRIVERS\ntspppoe.sys [01-08-03 12:32 ]
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys [99-09-24 18:55 ]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;C:\WINNT\system32\DRIVERS\Amps2prt.sys [05-01-14 02:23 ]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [99-10-23 07:22 ]
S3 NTSTAP1;NTSTAP1;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\NTSTAP1.SYS [01-08-07 13:14 ]
S3 NTSTAP2;NTSTAP2;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\NTSTAP2.SYS [01-08-07 13:14 ]
S3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS [01-08-06 11:43 ]
S3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS [01-08-07 13:07 ]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-22 09:32:32
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINNT\explorer.exe
-> ?:\WINNT\System32\TxfAux.Dll
-> ?:\WINNT\System32\TxfAux.Dll
-> ?:\WINNT\System32\TxfAux.Dll
-> ?:\WINNT\System32\TxfAux.Dll
.
Completion time: 2008-06-22 9:41:07 - machine was rebooted [Administrator]
ComboFix-quarantined-files.txt 2008-06-22 14:40:42

Pre-Run: 563,482,624 bytes free
Post-Run: 553,271,296 bytes free

192 --- E O F --- 2008-06-12 00:07:01

Edited by KoanYorel, 23 June 2008 - 10:21 AM.
to merge orphan post with original thread


#4 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:59 AM

Posted 23 June 2008 - 03:25 PM

Hello Pfeid,

I see you didn't install the Recovery Console yet ?
Please use the WinXP Home download here :
http://support.microsoft.com/kb/310994
Drag and drop the file in ComboFix, which will install the Recovery Console for you.

Let's clean up some more :

Open Notepad - don't use any other texteditor than Notepad or the script will fail !
Copy/paste the bold, blue text below into an empty notepad window:File::
C:\WINNT\system32\A4.tmp
C:\WINNT\system32\A0.tmp
C:\WINNT\system32\9C.tmp
C:\WINNT\system32\93.tmp
C:\WINNT\system32\8E.tmp
C:\WINNT\system32\8A.tmp
C:\WINNT\system32\85.tmp
C:\WINNT\system32\81.tmp
C:\WINNT\system32\7D.tmp
C:\WINNT\system32\7A.tmp
C:\WINNT\system32\75.tmp
C:\WINNT\system32\71.tmp
C:\WINNT\system32\6B.tmp
C:\WINNT\system32\62.tmp
C:\WINNT\system32\5C.tmp
C:\WINNT\system32\57.tmp
Folder::
C:\Documents and Settings\Administrator\Application Data\rhc748j0ep3r
C:\Program Files\rhc748j0ep3r
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"sysrest32.exe"=-
"SMrhc748j0ep3r"=-
"SMshc548j0ep3r"=-

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. Upon reboot, (in case it asks to reboot), post the contents of the Combofix log in your next reply, as well as a fresh HijackThislog.

Are you still having problems ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference

#5 pfeid

pfeid
  • Topic Starter

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Local time:04:59 AM

Posted 25 June 2008 - 09:28 PM

I dragged the WinXP_EN_HOM_BF.EXE file over the ComboFix file on the desktop and received a message stating,"Will only install the Recovery Console for Windows XP" I am running Win 2000, so I created the six bootable floppy disks and an Emergency Repair Disk.

ComboFix 08-06-20.4 - Administrator 06/25/2008 21:00:10.5 - NTFSx86
Microsoft Windows 2000 Professional 5.0.2195.4.1252.1.1033.18.136 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Administrator\Desktop\CFScript.txt

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINNT\system32\57.tmp
C:\WINNT\system32\5C.tmp
C:\WINNT\system32\62.tmp
C:\WINNT\system32\6B.tmp
C:\WINNT\system32\71.tmp
C:\WINNT\system32\75.tmp
C:\WINNT\system32\7A.tmp
C:\WINNT\system32\7D.tmp
C:\WINNT\system32\81.tmp
C:\WINNT\system32\85.tmp
C:\WINNT\system32\8A.tmp
C:\WINNT\system32\8E.tmp
C:\WINNT\system32\93.tmp
C:\WINNT\system32\9C.tmp
C:\WINNT\system32\A0.tmp
C:\WINNT\system32\A4.tmp
.

((((((((((((((((((((((((( Files Created from 2008-05-26 to 2008-06-26 )))))))))))))))))))))))))))))))
.

2008-06-25 19:52 . 06/25/08 07:52p 16,384 --a----t- C:\WINNT\system32\Perflib_Perfdata_36c.dat
2008-06-22 22:20 . 06/25/08 01:14p 94,208 --a------ C:\WINNT\system32\pphc348j0ep3r.exe
2008-06-22 15:16 . 06/22/08 03:16p <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Malwarebytes
2008-06-22 15:15 . 06/22/08 03:16p <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-06-22 15:15 . 06/22/08 03:15p <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Malwarebytes
2008-06-22 15:15 . 06/19/08 05:48p 34,296 --a------ C:\WINNT\system32\drivers\mbamcatchme.sys
2008-06-22 15:15 . 06/19/08 05:47p 17,144 --a------ C:\WINNT\system32\drivers\mbam.sys
2008-06-14 03:53 . 06/14/08 03:53a <DIR> d-------- C:\Deckard
2008-06-13 23:39 . 06/22/08 09:54p 96,966 --a------ C:\WINNT\system32\drivers\klin.dat
2008-06-13 23:39 . 06/22/08 09:54p 88,774 --a------ C:\WINNT\system32\drivers\klick.dat
2008-06-13 23:38 . 06/13/08 11:38p <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-06-13 23:38 . 06/25/08 01:15p <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\Kaspersky Lab
2008-06-13 23:31 . 06/24/08 11:50p 3,021,344 --ahs---- C:\WINNT\system32\drivers\fidbox.dat
2008-06-13 23:31 . 06/24/08 11:50p 31,016 --ahs---- C:\WINNT\system32\drivers\fidbox.idx
2008-06-13 23:31 . 06/25/08 09:06p 29,472 --ahs---- C:\WINNT\system32\drivers\fidbox2.dat
2008-06-13 23:31 . 06/24/08 11:50p 4,088 --ahs---- C:\WINNT\system32\drivers\fidbox2.idx
2008-06-13 23:29 . 06/13/08 11:29p <DIR> d-------- C:\kav
2008-06-11 19:06 . 06/11/08 07:06p 206 --a------ C:\WINNT\system32\MRT.INI
2008-06-08 11:42 . 06/11/08 06:37p <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-08 11:42 . 06/11/08 07:34p <DIR> d-a------ C:\Documents and Settings\All Users.WINNT\Application Data\Spybot - Search & Destroy
2008-06-08 11:10 . 06/08/08 11:10a <DIR> d-------- C:\Program Files\AVG
2008-06-08 11:10 . 06/08/08 11:12a <DIR> d-------- C:\Documents and Settings\All Users.WINNT\Application Data\avg8
2008-06-08 11:10 . 06/08/08 11:10a <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVGTOOLBAR
2008-06-08 11:08 . 06/08/08 11:08a <DIR> d-------- C:\WINNT\winsxs
2008-06-08 10:41 . 05/15/02 03:16p 462,848 --a------ C:\WINNT\system32\msaatext.dll
2008-06-08 10:41 . 05/15/02 03:16p 360,448 --a------ C:\WINNT\system32\oleacc.dll
2008-06-08 10:41 . 05/15/02 03:16p 360,448 --a--c--- C:\WINNT\system32\dllcache\oleacc.dll
2008-06-08 10:41 . 05/15/02 03:16p 356,352 --a------ C:\WINNT\system32\oleaccrc.dll
2008-06-08 10:41 . 05/15/02 03:16p 356,352 --a--c--- C:\WINNT\system32\dllcache\oleaccrc.dll
2008-06-02 20:32 . 06/02/08 08:32p <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2008-06-02 20:32 . 06/03/07 02:31p 10,752 --a------ C:\WINNT\system32\ff_vfw.dll
2008-06-02 20:31 . 06/08/08 01:49p <DIR> d-------- C:\WINNT\system32\quicktime
2008-06-02 20:19 . 06/02/08 08:19p 36 ---h----- C:\WINNT\system32\swk.ini
2008-06-02 20:06 . 06/02/08 08:06p <DIR> d-------- C:\Program Files\Common Files\Download Manager

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-23 04:29 --------- d-----w C:\Program Files\Liberty BASIC v4.03
2008-06-23 02:54 112,144 ----a-w C:\WINNT\system32\drivers\kl1.sys
2008-06-08 16:26 374 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb6334.dat
2008-06-08 16:22 --------- d---a-w C:\Documents and Settings\All Users.WINNT\Application Data\TEMP
2008-06-08 15:36 555 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb8467.dat
2008-06-08 15:36 18,432 ----a-w C:\Documents and Settings\Administrator\Application Data\internaldb41.dat
2008-05-09 00:17 --------- d-----w C:\Program Files\Just BASIC v1.01
2008-05-02 21:37 --------- d-----w C:\Program Files\proe2001
2008-04-30 07:03 791,824 ----a-w C:\WINNT\system32\quartz.dll
2008-04-18 13:55 575,488 ----a-w C:\WINNT\system32\WININET.DLL
2008-03-27 07:13 151,583 ----a-w C:\WINNT\system32\msjint40.dll
2008-03-27 07:06 355,104 ----a-w C:\WINNT\system32\msxbde40.dll
2008-03-27 07:05 838,432 ----a-w C:\WINNT\system32\mswdat10.dll
2008-03-27 07:05 621,344 ----a-w C:\WINNT\system32\mswstr10.dll
2008-03-27 07:05 264,992 ----a-w C:\WINNT\system32\mstext40.dll
2008-03-27 07:04 559,904 ----a-w C:\WINNT\system32\msrepl40.dll
2008-03-27 07:04 432,928 ----a-w C:\WINNT\system32\msrd2x40.dll
2008-03-27 07:04 322,336 ----a-w C:\WINNT\system32\msrd3x40.dll
2008-03-27 07:03 355,104 ----a-w C:\WINNT\system32\mspbde40.dll
2008-03-27 07:03 248,608 ----a-w C:\WINNT\system32\msjtes40.dll
2008-03-27 07:03 219,936 ----a-w C:\WINNT\system32\msltus40.dll
2008-03-27 07:02 60,192 ----a-w C:\WINNT\system32\msjter40.dll
2008-03-27 07:02 355,112 ----a-w C:\WINNT\system32\msjetoledb40.dll
2008-03-27 07:01 1,516,568 ----a-w C:\WINNT\system32\msjet40.dll
2008-03-27 07:00 518,944 ----a-w C:\WINNT\system32\msexch40.dll
2008-03-27 07:00 326,432 ----a-w C:\WINNT\system32\msexcl40.dll
2006-04-02 20:28 6,322 -c--a-w C:\Program Files\DeIsL1.isu
2006-04-02 20:27 147 -c--a-w C:\Program Files\_DEISREG.ISR
2005-12-09 00:58 691 ----a-w C:\Program Files\Super GameHouse Solitaire.lnk
2005-12-09 00:56 774,144 -c--a-w C:\Program Files\RngInterstitial.dll
2005-12-04 17:03 271 ---h--w C:\Program Files\desktop.ini
2005-12-04 17:03 21,952 ---h--w C:\Program Files\folder.htt
2005-08-13 00:24 70,783 -c--a-w C:\Program Files\blokken2005.str
2005-02-13 23:57 66,499 -c--a-w C:\Program Files\blokken2003.str
2000-07-17 03:57 560,128 -c--a-w C:\Program Files\HTMLViewer.exe
1999-12-07 12:00 32,528 -c--a-w C:\WINNT\inf\wbfirdma.sys
1999-04-08 16:18 49,152 -c--a-w C:\Program Files\_ISREG32.DLL
2007-02-08 15:48 133,920 ----a-w C:\Program Files\internet explorer\plugins\LV82ActiveXControl.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DW4"="" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [01/28/08 11:43a 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Synchronization Manager"="mobsync.exe" [06/19/03 02:05p 111376 C:\WINNT\system32\mobsync.exe]
"Matrox Powerdesk"="C:\WINNT\System32\PDesk.exe" [02/11/00 02:26p 462848]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [12/09/05 01:30a 35328]
"mwc"="C:\Program Files\Mouse Wheel Control\mwc.exe" [ ]
"NeroCheck"="C:\WINNT\system32\\NeroCheck.exe" [07/09/01 05:50a 155648]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [08/01/07 08:42p 185896]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe" [02/22/08 04:25a 144784]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"^SetupICWDesktop"="C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe" [06/19/03 02:05p 186640]

C:\Documents and Settings\All Users.WINNT\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2000-01-21 03:15:54 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"aux"= mmdrv.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
"DisableMonitoring"=dword:00000001

R2 cvintdrv;cvintdrv;C:\WINNT\system32\drivers\cvintdrv.sys [02/21/07 10:00a]
R2 PPPoEService;PPPoE Service;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\pppoeservice.exe [07/11/00 11:48a]
R3 DXE101;Dynex DX-E101 NDIS Driver;C:\WINNT\system32\DRIVERS\DXE101.SYS [02/05/04 03:06p]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINNT\system32\DRIVERS\klim5.sys [12/13/07 01:28p]
R3 NTSPPPOE;Efficient Networks Enternet P.P.P.o.E LAN Miniport Driver;C:\WINNT\system32\DRIVERS\ntspppoe.sys [08/03/01 12:32p]
R3 NTSTAP1;NTSTAP1;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\NTSTAP1.SYS [08/07/01 01:14p]
R3 RAWESR;RAWESR;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\RAWESR.SYS [08/06/01 11:43a]
R3 TAPBIND;TAPBIND;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\TAPBIND1.SYS [08/07/01 01:07p]
R3 Winacpci;Winacpci;C:\WINNT\system32\DRIVERS\winacpci.sys [09/24/99 06:55p]
S3 Amps2prt;Compatible PS/2 Port Mouse Driver;C:\WINNT\system32\DRIVERS\Amps2prt.sys [01/14/05 02:23a]
S3 EL90BC;3Com EtherLink XL B/C Adapter Driver;C:\WINNT\system32\DRIVERS\el90xbc5.sys [10/23/99 07:22a]
S3 NTSTAP2;NTSTAP2;C:\PROGRA~1\EFFICI~1\ENTERN~1\app\NTSTAP2.SYS [08/07/01 01:14p]

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-25 21:06:30
Windows 5.0.2195 Service Pack 4 NTFS

scanning hidden processes ...

\WINNT\explorer.exe [1156] 0x81376340

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 06/25/2008 21:10:25
ComboFix-quarantined-files.txt 2008-06-26 02:10:18
ComboFix2.txt 2008-06-26 01:45:11
ComboFix3.txt 2008-06-26 01:02:19
ComboFix4.txt 2008-06-22 14:41:14

Pre-Run: 548,773,888 bytes free
Post-Run: 540,872,704 bytes free

157 --- E O F --- 2008-06-12 00:07:01

#6 Orange Blossom

Orange Blossom

    OBleepin Investigator


  • Moderator
  • 36,699 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:Bloomington, IN
  • Local time:04:59 AM

Posted 25 June 2008 - 09:56 PM

Hello pfeid,

I have merged your latest topic which you posted in the Windows NT/2000/2003 forum to your previously existing topic here in the HJT forum. Please keep all posts regarding this issue in this thread by using the Add Reply button at the bottom of the topic. Starting new topics confuses things and delays the assistance you receive.

Back to you Thunder,

Orange Blossom :thumbsup:
Help us help you. If HelpBot replies, you MUST follow step 1 in its reply so we know you need help.

Orange Blossom

An ounce of prevention is worth a pound of cure

SpywareBlaster, WinPatrol Plus, ESET Smart Security, Malwarebytes' Anti-Malware, NoScript Firefox ext., Norton noscript

#7 Thunder

Thunder

  • Members
  • 3,294 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Belgium
  • Local time:11:59 AM

Posted 26 June 2008 - 06:44 AM

Thanks, Orange Blossom :thumbsup:

Hello Pfeid,

Your logs look quite a lot better now. :)

Navigate, using Windows Explorer, to and delete the following folders and files if still present:C:\WINNT\system32\pphc348j0ep3r.exe <== file
If you're having problems removing a file/folder, reboot your Computer once again and try to remove it after reboot.

Then, you can remove all used tools and folders created in the process.
To remove ComboFix :
Go to Start > Run, and copy and paste next command in the field:ComboFix /u
Make sure there's a space between Combofix and /u
Then press Enter.
This will uninstall Combofix, delete its related folders and files, restore your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Your JavaVM is also out of date. Older versions have vulnerabilities that malware can use to infect your system.
Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u6.
  • Scroll down to where it says The Java SE Runtime Environment (JRE) allows end-users to run Java applications.
  • Click the Download button to the right.
  • Check the box that says: Accept License Agreement
  • The page will refresh.
  • Click on the link to download Windows Offline Installation (jre-6u6-windows-i586-p.exe) and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windowsi586-p.exe to install the newest version.
Any more problems left ?

Greetings,
Thunder
Whatever happens, make believe it was intended to ...
-----------------------------------------------------------------------
Posted Image - If I have helped you in any way, please consider a donation to help me continue the fight against malware.
-----------------------------------------------------------------------
Stand Up & Be Counted --> Posted Image <-- And make a difference




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users