Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Checking if I am still infected


  • This topic is locked This topic is locked
19 replies to this topic

#1 Misuihc

Misuihc

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 22 October 2008 - 07:23 PM

Hello, B computer

Problem:
I was recently infected and I wanted to see if I am still infected. I had something that prevented me from opening my C drive and also a DNS trojan.

Looking back at my Spyware Doctor log it indicates these infections in my quarantine folder:
Vitrumonde
PWS.WOW.EC
downloader.agent!sd6
agent
downloader.ruins
downloader.popuper

all of which are trojans.

What I have and have done:
I have a licensed version of Spyware Doctor. I also have SUPERantispyware and . I followed all the steps in the Preperation Guide prior to posting.
I have installed since then: Hijack this, Sygate Personal Firewall, Spy Bot Search and Destroy and Ad-Aware.

The scans I did said I was clean but I still sense a bit of fishyness. BleepingComputer fixed my last computer problems and I hope they can come save the day once again!

Thank you,

Love you guys


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:07:10 PM, on 10/22/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16674)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\DAEMON Tools Lite\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdaem.exe] C:\WINDOWS\system32\kdaem.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdlng.exe] C:\WINDOWS\system32\kdlng.exe
O4 - HKLM\..\Run: [C:\WINDOWS\system32\kdbvx.exe] C:\WINDOWS\system32\kdbvx.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xycoah.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ljJASLby - ljJASLby.dll (file missing)
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6575 bytes

BC AdBot (Login to Remove)

 


#2 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 08 November 2008 - 03:35 AM

Hello Misuihc,

I apologise for the delay, the forum is busy.

If you still need help, post a new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#3 Misuihc

Misuihc
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 08 November 2008 - 09:48 AM

Hello,
Thanks for getting back to me. Here is the hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:47:08 AM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xycoah.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ljJASLby - ljJASLby.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7271 bytes

#4 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 08 November 2008 - 11:34 AM

Hello Misuihc,

Some infection from your 1st HijackThis log is gone, but you are still infected.

Please do not run any tools yourself untill we clean this pc.
---------------------------------------------
You aren't running Anti Virus Software

Anti-virus software are programs that detect, cleanse, and erase harmful virus files on a computer, Web server, or network.
Unchecked, virus files can unintentionally be forwarded to others, including trading partners and thereby spreading infection. Because new viruses regularly emerge, anti-virus software should be updated frequently.  Anti-virus software can scan the computer memory and disk drives for malicious code. They can alert the user if a virus is present, and will clean, delete (or quarantine) infected files or directories. Please download a free anti-virus software (for personal use), from one these excellent vendors NOW:

1) Antivir PersonalEditionClassic
-Free anti-virus software for Windows.
-Detects and removes more than 50,000 viruses. Free support.
2) avast! 4 Home Edition
-Anti-virus program for Windows.
-The home edition is freeware for noncommercial users.
3) AVG Anti-Virus Free Edition
- Free edition of the AVG anti-virus program for Windows.
- Available for single computer use for home and non commercial use.

Update and run your newly installed Anti-Virus, let it remove/quarantee what it finds, and post a new HijackThis log so we can move on.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#5 Misuihc

Misuihc
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 08 November 2008 - 04:00 PM

Here is an updated HijackThis log. The antivirus did not detect any viruses or unwanted programs. I used Avira AntiVirus.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:55:34 PM, on 11/8/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xycoah.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ljJASLby - ljJASLby.dll (file missing)
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7897 bytes

#6 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 09 November 2008 - 02:31 AM

Hello Misuihc,

Download ComboFix from one of these locations:
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools
  • See this topic if you need help to disable your protection programs.
  • Double click on ComboFix.exe & follow the prompts.
  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.
  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.

Posted Image

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you.
Please include the C:\ComboFix.txt in your next reply along with a HijackThis log so we can continue cleaning the system.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#7 Misuihc

Misuihc
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 09 November 2008 - 06:28 AM

Here is the combofix log.txt you requested:
Attached File  combo_fix_log.txt   21.7KB   25 downloads

Here is the latest Hijack Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:30:19 AM, on 11/9/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O3 - Toolbar: Megaupload Toolbar - {A057A204-BACC-4D26-C39E-35F1D2A32EC8} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [GEST] =
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: xycoah.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7233 bytes

Edited by Misuihc, 09 November 2008 - 06:31 AM.


#8 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 09 November 2008 - 08:39 AM

Hello Misuihc,

I see you have Megaupload Toolbar installed.
Read this and decide whether you wish to keep it or not.
"This toolbar integrates certain services from alexa internet,inc. ("Alexa"). The toolbar may exchange data with Alexa in orderto provide: (a) information to you about the web pages you view (ranking information, for example) and (b) basic information to alexa on your use of the toolbar, including the ip address of your computer, the url of the web pages you visit and, because the toolbar communicates via http, data typical of normal http communications such as user agent and operating system, will be communicated."

If you decide to uninstall it, use Add/Remove programs and remove:

MegauploadToolbar

Let me know if you uninstalled it. so i will remove any remainants.
----------------------------------------------
P2P PROGRAMS

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BitLord

References for the risk of these programs can be found in these links:
http://www.microsoft.com/windows/ie/commun...protection.mspx
http://www.techweb.com/wire/160500554
http://www.internetworldstats.com/articles/art053.htm
See Clean/Infected P2P Programs here

Note: Even if you are using a "safe" P2P program, it is only the program that is safe. You will be sharing files from uncertified sources, and these are often infected. The bad guys use P2P filesharing as a major conduit to spread their wares.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).

If you choose not to remove them, please do not use them until this computer is clean.
----------------------------------------------
I need to find where a file is located.

FileLook

Please download FileLook by jpshortstuff from one of the following mirrors:
Link 1
Link 2
  • Double-click FileLook.exe to run it. (Vista users will almost certainly have to right click and select Run As Administrator)
  • Ensure that the BBCode Ouput checkbox is checked.
  • Copy the content of the following codebox into the main textfield:

    xycoah.dll /s
  • Click the FileLook button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at C:\fl_log.txt
----------------------------------------------
Post back:
FileLook report.
Your decision about Megaupoload Toolbar.

Please do not attach any reports i ask, just post them normally.
It makes my work difficult.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#9 Misuihc

Misuihc
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 09 November 2008 - 03:23 PM

hello. i apologize for attaching combofix log.txt i thought it would be easier for you if i attached it because it was very lengthy.

here is the filelook report:

FileLook.exe v2.0 by jpshortstuff
Log created at 12:17 on 09/11/2008
==================================
FileSearch - "XYCOAH.DLL"


==============================

=EOF=

i have decided to uninstall megaupload toolbar and bitlord. i will be replacing bitlord with a safer torrent program: u torrent.

Edited by Misuihc, 09 November 2008 - 03:29 PM.


#10 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 10 November 2008 - 07:43 AM

Hello Misuihc,

hello. i apologize for attaching combofix log.txt i thought it would be easier for you if i attached it because it was very lengthy.

You couldn't know! :thumbsup:

i have decided to uninstall megaupload toolbar and bitlord. i will be replacing bitlord with a safer torrent program: u torrent.


Ok, i will remove Megaupload toolbar remainants.

As for u Torrent, please do not install it, or use it now, untill we finish cleaning your pc.
----------------------------------------------
Disable Spyware Doctor until the computer is clean

Please disable Spyware Doctor, as it may interfere with the fix. To disable Spyware Doctor:
  • Click the Spyware Doctor icon in the System Tray.
  • Click Settings
  • Click Startup Settings under Pick a Category.
  • Uncheck Run at Windows startup.
  • Click Apply and Exit Spyware Doctor
Don't forget to re-enable it, when your computer is clean.
----------------------------------------------
COMBOFIX-Script
A word of warning: Please do not run ComboFix on your own. This tool is not a toy and not for everyday use.
  • Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

    Folder::
    c:\program files\BitLord
    c:\program files\MegauploadToolbar
    c:\documents and settings\Simon\Application Data\MegauploadToolbar
    c:\progra~1\MEGAUP~2
    
    DirLook::
    C:\ProgramData
    
    Registry::
    [-HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-c39e-35f1d2a32ec8}]
    [-HKEY_CLASSES_ROOT\megauploadtoolbar.MEGAUPLOADTOOLBAR]
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "GEST"=-
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=""
    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "c:\\Program Files\\BitLord\\BitLord.exe"=-
  • Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.

    Posted Image
  • Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before following the steps below.. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  • Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
----------------------------------------------
It seems that this program is corrupted and not working on start up so i am removing it from start up. You can go into the program and re-enable it again.

O4 - HKLM\..\Run: [GEST] =
----------------------------------------------
Post back:
Combofix report.
A new HijackThis log.
Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#11 Misuihc

Misuihc
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 10 November 2008 - 01:27 PM

Here is the updated hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:25:08 AM, on 11/10/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliType Pro\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: Java™ Plug-In SSV Helper - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 6315 bytes

Here is the combofix log:

ComboFix 08-11-09.04 - Simon 2008-11-10 10:19:13.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2783 [GMT -8:00]
Running from: c:\documents and settings\Simon\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Simon\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\program files\BitLord
c:\program files\BitLord\BitLord.xml
c:\program files\BitLord\Downloads.xml
c:\program files\BitLord\Downloads\clip2_384[1].mpeg.bc!
c:\program files\BitLord\Downloads\office 2007\Access.en-us\Access.en-us\AccessMUI.msi
c:\program files\BitLord\Downloads\office 2007\Access.en-us\Access.en-us\AccessMUI.xml
c:\program files\BitLord\Downloads\office 2007\Access.en-us\Access.en-us\AccLR.cab
c:\program files\BitLord\Downloads\office 2007\Access.en-us\AccessMUISet.msi
c:\program files\BitLord\Downloads\office 2007\Access.en-us\AccessMUISet.xml
c:\program files\BitLord\Downloads\office 2007\Access.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\de-de\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\en-us\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\es-es\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\fr-fr\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\it-it\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ja-jp\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\ko-kr\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\oct.dll
c:\program files\BitLord\Downloads\office 2007\Admin\octca.dll
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-cn\word12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\access12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\cpao12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\excel12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\groove12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\ic12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\inf12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\oct.chm
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\octres.dll
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\office12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\onent12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\outlk12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\ppt12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\proj12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\pub12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\spd12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\visio12.opa
c:\program files\BitLord\Downloads\office 2007\Admin\zh-tw\word12.opa
c:\program files\BitLord\Downloads\office 2007\autorun.inf
c:\program files\BitLord\Downloads\office 2007\Catalog\files12.cat
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\config.xml
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\EnterpriseWW.msi
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\EnterpriseWW.xml
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\EnterWW.cab
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\ID_00030.DPC
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\Office64WW.msi
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\Office64WW.xml
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\ose.exe
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\osetup.dll
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\OWOW64WW.cab
c:\program files\BitLord\Downloads\office 2007\Enterprise.WW\setup.xml
c:\program files\BitLord\Downloads\office 2007\Excel.en-us\ExcelLR.cab
c:\program files\BitLord\Downloads\office 2007\Excel.en-us\ExcelMUI.msi
c:\program files\BitLord\Downloads\office 2007\Excel.en-us\ExcelMUI.xml
c:\program files\BitLord\Downloads\office 2007\Excel.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Groove.en-us\Groove.en-us\GrooveLR.cab
c:\program files\BitLord\Downloads\office 2007\Groove.en-us\Groove.en-us\GrooveMUI.msi
c:\program files\BitLord\Downloads\office 2007\Groove.en-us\Groove.en-us\GrooveMUI.xml
c:\program files\BitLord\Downloads\office 2007\Groove.en-us\GrooveMUISet.msi
c:\program files\BitLord\Downloads\office 2007\Groove.en-us\GrooveMUISet.xml
c:\program files\BitLord\Downloads\office 2007\Groove.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\InfoPath.en-us\InfLR.cab
c:\program files\BitLord\Downloads\office 2007\InfoPath.en-us\InfoPathMUI.msi
c:\program files\BitLord\Downloads\office 2007\InfoPath.en-us\InfoPathMUI.xml
c:\program files\BitLord\Downloads\office 2007\InfoPath.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Office.en-us\1033\dwintl20.dll
c:\program files\BitLord\Downloads\office 2007\Office.en-us\branding.xml
c:\program files\BitLord\Downloads\office 2007\Office.en-us\DW20.EXE
c:\program files\BitLord\Downloads\office 2007\Office.en-us\dwdcw20.dll
c:\program files\BitLord\Downloads\office 2007\Office.en-us\dwtrig20.exe
c:\program files\BitLord\Downloads\office 2007\Office.en-us\Microsoft.VC80.CRT.manifest
c:\program files\BitLord\Downloads\office 2007\Office.en-us\msvcr80.dll
c:\program files\BitLord\Downloads\office 2007\Office.en-us\OfficeLR.cab
c:\program files\BitLord\Downloads\office 2007\Office.en-us\OfficeMUI.msi
c:\program files\BitLord\Downloads\office 2007\Office.en-us\OfficeMUI.xml
c:\program files\BitLord\Downloads\office 2007\Office.en-us\OfficeMUISet.msi
c:\program files\BitLord\Downloads\office 2007\Office.en-us\OfficeMUISet.xml
c:\program files\BitLord\Downloads\office 2007\Office.en-us\osetupui.dll
c:\program files\BitLord\Downloads\office 2007\Office.en-us\pss10r.chm
c:\program files\BitLord\Downloads\office 2007\Office.en-us\setup.chm
c:\program files\BitLord\Downloads\office 2007\Office.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Office.en-us\ShellUI.MST
c:\program files\BitLord\Downloads\office 2007\Office64.en-us\Office64MUI.msi
c:\program files\BitLord\Downloads\office 2007\Office64.en-us\Office64MUI.xml
c:\program files\BitLord\Downloads\office 2007\Office64.en-us\Office64MUISet.msi
c:\program files\BitLord\Downloads\office 2007\Office64.en-us\Office64MUISet.xml
c:\program files\BitLord\Downloads\office 2007\Office64.en-us\OWOW64LR.cab
c:\program files\BitLord\Downloads\office 2007\Office64.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\OneNote.en-us\OneNoteMUI.msi
c:\program files\BitLord\Downloads\office 2007\OneNote.en-us\OneNoteMUI.xml
c:\program files\BitLord\Downloads\office 2007\OneNote.en-us\OnoteLR.cab
c:\program files\BitLord\Downloads\office 2007\OneNote.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Outlook.en-us\OutlkLR.cab
c:\program files\BitLord\Downloads\office 2007\Outlook.en-us\OutlookMUI.msi
c:\program files\BitLord\Downloads\office 2007\Outlook.en-us\OutlookMUI.xml
c:\program files\BitLord\Downloads\office 2007\Outlook.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\PowerPoint.en-us\PowerPointMUI.msi
c:\program files\BitLord\Downloads\office 2007\PowerPoint.en-us\PowerPointMUI.xml
c:\program files\BitLord\Downloads\office 2007\PowerPoint.en-us\PptLR.cab
c:\program files\BitLord\Downloads\office 2007\PowerPoint.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.en\Proof.cab
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.en\Proof.msi
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.en\Proof.xml
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.es\Proof.cab
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.es\Proof.msi
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.es\Proof.xml
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.fr\Proof.cab
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.fr\Proof.msi
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proof.fr\Proof.xml
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proofing.msi
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\Proofing.xml
c:\program files\BitLord\Downloads\office 2007\Proofing.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Publisher.en-us\PublisherMUI.msi
c:\program files\BitLord\Downloads\office 2007\Publisher.en-us\PublisherMUI.xml
c:\program files\BitLord\Downloads\office 2007\Publisher.en-us\PubLR.cab
c:\program files\BitLord\Downloads\office 2007\Publisher.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\README.HTM
c:\program files\BitLord\Downloads\office 2007\Rosebud.en-us\RbudLR.cab
c:\program files\BitLord\Downloads\office 2007\Rosebud.en-us\RosebudMUI.msi
c:\program files\BitLord\Downloads\office 2007\Rosebud.en-us\RosebudMUI.xml
c:\program files\BitLord\Downloads\office 2007\Rosebud.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Serial.txt
c:\program files\BitLord\Downloads\office 2007\setup.exe
c:\program files\BitLord\Downloads\office 2007\Updates\README.TXT
c:\program files\BitLord\Downloads\office 2007\Word.en-us\setup.xml
c:\program files\BitLord\Downloads\office 2007\Word.en-us\WordLR.cab
c:\program files\BitLord\Downloads\office 2007\Word.en-us\WordMUI.msi
c:\program files\BitLord\Downloads\office 2007\Word.en-us\WordMUI.xml
c:\program files\BitLord\lang\lang_ar_ae.xml
c:\program files\BitLord\lang\lang_bg_bg.xml
c:\program files\BitLord\lang\lang_ca_es.xml
c:\program files\BitLord\lang\lang_cz_cz.xml
c:\program files\BitLord\lang\lang_da_dk.xml
c:\program files\BitLord\lang\lang_de_de.xml
c:\program files\BitLord\lang\lang_el_gr.xml
c:\program files\BitLord\lang\lang_en_us.xml
c:\program files\BitLord\lang\lang_es_ar.xml
c:\program files\BitLord\lang\lang_es_es.xml
c:\program files\BitLord\lang\lang_et_ee.xml
c:\program files\BitLord\lang\lang_fi_fi.xml
c:\program files\BitLord\lang\lang_fr_fr.xml
c:\program files\BitLord\lang\lang_gl_es.xml
c:\program files\BitLord\lang\lang_he_il.xml
c:\program files\BitLord\lang\lang_hu_hu.xml
c:\program files\BitLord\lang\lang_it_it.xml
c:\program files\BitLord\lang\lang_jp_jp.xml
c:\program files\BitLord\lang\lang_ko_kr.xml
c:\program files\BitLord\lang\lang_nb_no.xml
c:\program files\BitLord\lang\lang_nl_nl.xml
c:\program files\BitLord\lang\lang_pl_pl.xml
c:\program files\BitLord\lang\lang_pt_br.xml
c:\program files\BitLord\lang\lang_pt_pt.xml
c:\program files\BitLord\lang\lang_ro_ro.xml
c:\program files\BitLord\lang\lang_ru_ru.xml
c:\program files\BitLord\lang\lang_sk_sk.xml
c:\program files\BitLord\lang\lang_sl_si.xml
c:\program files\BitLord\lang\lang_sr_sr.xml
c:\program files\BitLord\lang\lang_sv_se.xml
c:\program files\BitLord\lang\lang_th_th.xml
c:\program files\BitLord\lang\lang_tr_tr.xml
c:\program files\BitLord\lang\lang_va_es.xml
c:\program files\BitLord\lang\lang_zh_tw.xml
c:\program files\BitLord\rules\ipfilter.dat
c:\program files\BitLord\Torrents\ATI Far Cry 2 Hotfix - Optimised.torrent
c:\program files\BitLord\Torrents\clip2_384[1].mpeg.torrent
c:\program files\BitLord\Torrents\clip2_384[1].mpeg.xml
c:\program files\BitLord\Torrents\DIET ANALYSIS PLUS 8.0.torrent
c:\program files\BitLord\Torrents\DirectX 10 for Xp.torrent
c:\program files\BitLord\Torrents\DirectX.10.for.XP.rar.torrent
c:\program files\BitLord\Torrents\jacks.too.bu.ku.2-tia ling.avi.torrent
c:\program files\BitLord\Torrents\JB4944 - Cum In My Mouth Please.wmv.torrent
c:\program files\BitLord\Torrents\MS Office Enterprise 2007 (Registered)a12.rar.torrent
c:\program files\BitLord\Torrents\NBA.2K9-RELOADED.torrent
c:\program files\BitLord\Torrents\NBA.2K9-RELOADED[0].torrent
c:\program files\BitLord\Torrents\NBA.2K9-RELOADED[1].torrent
c:\program files\BitLord\Torrents\office 2007.torrent
c:\program files\BitLord\Torrents\Pirates.Stagnettis.Revenge.XXX.DVDRiP.XviD-POSSESSED.torrent
c:\program files\BitLord\Torrents\RAZOR1911 [WEB SEED] FAR CRY 2 CRACK - REAL 100% FULLY WORKING.rar.torrent
c:\program files\BitLord\Torrents\Stoya & Katsumi - Katsuni Video Nasty 4.avi.torrent
c:\program files\BitLord\Torrents\Teanna Kai & Ed Powers.mpeg.torrent
c:\program files\BitLord\Torrents\The Sims 2 Kitchen & Bath Interior Design Stuff - Crack.exe.torrent
c:\program files\BitLord\Torrents\WM Recorder 12 Demo to Full Patch.torrent

.
((((((((((((((((((((((((( Files Created from 2008-10-10 to 2008-11-10 )))))))))))))))))))))))))))))))
.

2008-11-08 12:12 . 2008-11-08 12:12 <DIR> d-------- c:\program files\Avira
2008-11-08 12:12 . 2008-11-08 12:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Avira
2008-11-08 06:46 . 2008-11-08 06:46 <DIR> d-------- c:\program files\Trend Micro
2008-11-06 17:58 . 2008-11-06 17:58 <DIR> d-------- c:\documents and settings\Simon\.realobjects
2008-11-06 17:57 . 2008-11-06 17:57 <DIR> d-------- c:\windows\Sun
2008-11-06 17:17 . 2008-11-06 17:17 <DIR> d-------- c:\program files\Java
2008-11-06 17:17 . 2008-11-06 17:17 410,976 --a------ c:\windows\system32\deploytk.dll
2008-11-06 17:17 . 2008-11-06 17:17 73,728 --a------ c:\windows\system32\javacpl.cpl
2008-11-06 01:23 . 2008-11-06 14:04 <DIR> d-------- c:\program files\EA GAMES
2008-11-06 01:23 . 2004-08-17 19:14 442,368 -ra------ c:\windows\system32\vp6vfw.dll
2008-11-05 18:58 . 2008-11-05 18:58 <DIR> d-------- c:\documents and settings\All Users\Application Data\Apple Computer
2008-11-05 18:52 . 2008-11-05 18:52 <DIR> d--h----- c:\program files\Zero G Registry
2008-11-05 18:52 . 2008-11-05 23:00 <DIR> d-------- c:\program files\Britannica 8.0
2008-11-05 18:51 . 2008-11-05 18:51 <DIR> d--h----- c:\documents and settings\Simon\InstallAnywhere
2008-10-30 15:48 . 2008-10-30 15:57 <DIR> d-------- c:\documents and settings\Simon\Application Data\Red Alert 3
2008-10-28 16:16 . 2007-07-30 18:19 271,224 --a------ c:\windows\system32\mucltui.dll
2008-10-28 16:16 . 2007-07-30 18:19 207,736 --a------ c:\windows\system32\muweb.dll
2008-10-28 16:16 . 2007-07-30 18:19 30,072 --a------ c:\windows\system32\mucltui.dll.mui
2008-10-28 14:45 . 2008-10-28 14:45 <DIR> d-------- c:\program files\Bethesda Softworks
2008-10-28 14:45 . 2008-10-28 14:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Fallout3
2008-10-28 14:41 . 2008-10-28 14:41 <DIR> d-------- c:\windows\system32\XPSViewer
2008-10-28 14:41 . 2008-10-28 14:41 <DIR> d-------- c:\program files\Reference Assemblies
2008-10-28 14:41 . 2006-06-29 12:07 14,048 --------- c:\windows\system32\spmsg2.dll
2008-10-27 22:07 . 2008-10-27 22:07 <DIR> d-------- c:\program files\Windows Live
2008-10-27 22:07 . 2008-10-27 22:07 <DIR> d--hsc--- c:\program files\Common Files\WindowsLiveInstaller
2008-10-27 22:07 . 2008-10-27 22:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\WLInstaller
2008-10-27 03:07 . 2008-10-27 03:07 <DIR> d-------- c:\documents and settings\Simon\Application Data\Thomson Learning
2008-10-27 03:04 . 2008-11-08 16:17 <DIR> d-------- c:\program files\Diet Analysis Plus 8.0
2008-10-27 00:56 . 2008-10-27 00:56 <DIR> d-------- c:\program files\Electronic Arts
2008-10-25 18:29 . 2008-10-25 18:29 <DIR> d-------- C:\ProgramData
2008-10-25 18:28 . 2008-10-25 18:28 <DIR> d-------- c:\documents and settings\Simon\Application Data\Leadertech
2008-10-25 09:11 . 2008-10-25 09:11 <DIR> d-------- c:\documents and settings\Simon\Application Data\2K Sports
2008-10-25 08:46 . 2008-10-25 18:05 <DIR> d-------- c:\program files\NBA 2K9
2008-10-24 21:11 . 2008-10-24 21:11 <DIR> d-------- c:\program files\Sega
2008-10-24 00:30 . 2008-03-09 06:25 236 --ah----- c:\program files\Common Files\dx.reg
2008-10-24 00:18 . 2008-10-24 00:18 22,328 --a------ c:\windows\system32\drivers\PnkBstrK.sys
2008-10-24 00:17 . 2008-10-24 00:17 2,250,024 --a------ c:\windows\system32\pbsvc.exe
2008-10-24 00:17 . 2008-10-24 00:18 107,832 --a------ c:\windows\system32\PnkBstrB.exe
2008-10-24 00:17 . 2008-10-24 00:17 66,872 --a------ c:\windows\system32\PnkBstrA.exe
2008-10-24 00:04 . 2008-10-24 00:04 <DIR> d-------- c:\program files\CCleaner
2008-10-24 00:00 . 2008-10-24 00:00 <DIR> d-------- c:\documents and settings\Simon\Application Data\Uniblue
2008-10-23 18:29 . 2008-10-31 15:17 <DIR> d-------- c:\windows\system32\LogFiles
2008-10-23 18:29 . 2008-10-24 00:18 22,328 --a------ c:\documents and settings\Simon\Application Data\PnkBstrK.sys
2008-10-23 05:02 . 2008-10-23 05:02 <DIR> d-------- c:\program files\Common Files\DirectX
2008-10-22 15:32 . 2008-10-22 15:32 <DIR> d-------- c:\program files\Sygate
2008-10-22 15:32 . 2004-10-15 17:32 83,096 --a------ c:\windows\system32\SSSensor.dll
2008-10-22 15:32 . 2004-10-15 17:17 60,496 --a------ c:\windows\system32\drivers\Teefer.sys
2008-10-22 15:32 . 2004-10-15 17:18 21,075 --a------ c:\windows\system32\drivers\wpsdrvnt.sys
2008-10-22 15:32 . 2004-10-15 17:32 14,568 --a------ c:\windows\system32\drivers\wg6n.sys
2008-10-22 15:32 . 2004-10-15 17:32 14,568 --a------ c:\windows\system32\drivers\wg5n.sys
2008-10-22 15:32 . 2004-10-15 17:32 14,568 --a------ c:\windows\system32\drivers\wg4n.sys
2008-10-22 15:32 . 2004-10-15 17:32 14,568 --a------ c:\windows\system32\drivers\wg3n.sys
2008-10-22 15:19 . 2008-10-24 14:22 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
2008-10-22 15:12 . 2008-10-22 15:12 <DIR> d-------- c:\program files\Lavasoft
2008-10-22 15:12 . 2008-10-22 15:12 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
2008-10-22 14:36 . 2008-08-14 02:11 2,189,184 -----c--- c:\windows\system32\dllcache\ntoskrnl.exe
2008-10-22 14:36 . 2008-08-14 02:09 2,145,280 -----c--- c:\windows\system32\dllcache\ntkrnlmp.exe
2008-10-22 14:36 . 2008-08-14 01:33 2,066,048 -----c--- c:\windows\system32\dllcache\ntkrnlpa.exe
2008-10-22 14:36 . 2008-08-14 01:33 2,023,936 -----c--- c:\windows\system32\dllcache\ntkrpamp.exe
2008-10-22 09:40 . 2008-10-22 09:40 <DIR> d-------- c:\documents and settings\Simon\Application Data\Malwarebytes
2008-10-22 09:40 . 2008-10-22 09:40 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2008-10-22 09:25 . 2008-10-22 09:37 <DIR> d-------- c:\program files\SUPERAntiSpyware
2008-10-22 09:25 . 2008-10-22 09:25 <DIR> d-------- c:\documents and settings\Simon\Application Data\SUPERAntiSpyware.com
2008-10-22 09:25 . 2008-10-22 09:25 <DIR> d-------- c:\documents and settings\All Users\Application Data\SUPERAntiSpyware.com
2008-10-22 04:02 . 2008-10-22 09:37 27,904 --a------ c:\windows\system32\drivers\ndisprot.sys
2008-10-22 03:15 . 2008-10-22 03:15 <DIR> d-------- c:\documents and settings\All Users\Application Data\KONAMI
2008-10-22 02:51 . 2008-10-22 02:51 <DIR> d-------- c:\program files\KONAMI
2008-10-22 00:32 . 2008-10-22 00:32 <DIR> d-------- c:\program files\Real Alternative
2008-10-22 00:32 . 2008-10-22 00:32 <DIR> d-------- c:\documents and settings\Simon\Application Data\Media Player Classic
2008-10-20 00:10 . 2008-10-20 00:10 <DIR> d-------- c:\program files\AGEIA Technologies
2008-10-19 15:08 . 2008-10-19 15:08 <DIR> dr-h----- c:\documents and settings\Simon\Application Data\SecuROM
2008-10-19 12:16 . 2008-10-19 12:16 <DIR> d-------- c:\windows\system32\AGEIA
2008-10-19 12:16 . 2008-10-24 00:15 <DIR> d-------- c:\program files\Ubisoft
2008-10-19 12:16 . 2008-10-24 14:23 <DIR> d-------- c:\program files\Common Files\Wise Installation Wizard
2008-10-19 11:45 . 2008-11-01 00:09 <DIR> d-------- c:\documents and settings\Simon\Application Data\dvdcss
2008-10-18 23:46 . 2008-10-18 23:46 <DIR> d-------- c:\windows\system32\xlive
2008-10-18 23:11 . 2008-09-23 20:05 593,920 --------- c:\windows\system32\ati2sgag.exe
2008-10-18 23:08 . 2008-10-18 23:08 10 --a------ c:\windows\WININIT.INI
2008-10-18 22:48 . 2008-04-12 17:13 1,029,126 --a------ c:\windows\system32\d3d10.dll
2008-10-18 22:48 . 2007-04-19 00:59 519,912 --a------ c:\windows\system32\d3dx10d_33.dll
2008-10-18 22:48 . 2007-04-19 00:59 519,912 --a------ c:\windows\system32\d3dx10d.dll
2008-10-18 22:48 . 2006-11-29 13:06 440,080 --a------ c:\windows\system32\d3dx10.dll
2008-10-18 22:48 . 2008-04-22 20:59 167,948 --a------ c:\windows\system32\dxgi.dll
2008-10-18 22:48 . 2007-12-22 19:30 34,854 --a------ c:\windows\system32\directx10logo.bmp
2008-10-18 22:48 . 2007-04-18 01:13 25,037 --a------ c:\windows\system32\Nucleus.dll
2008-10-18 22:26 . 2008-10-19 01:41 <DIR> d-------- c:\documents and settings\Simon\Application Data\Microsoft Games
2008-10-18 21:45 . 2008-10-18 21:45 319 --a------ c:\windows\game.ini
2008-10-18 21:40 . 2008-10-18 21:40 <DIR> d-------- c:\program files\Activision
2008-10-18 21:34 . 2008-10-18 21:34 <DIR> d--hs---- c:\windows\ftpcache
2008-10-18 09:00 . 2008-10-18 09:00 <DIR> d-------- c:\windows\Logs
2008-10-18 02:25 . 2005-07-14 09:30 30,664 --a------ c:\windows\system32\oemlogo.mrt
2008-10-18 02:25 . 2005-01-01 19:00 1,017 --a------ c:\windows\system32\oeminfo.mrt
2008-10-18 00:51 . 2008-10-19 15:08 107,888 --a------ c:\windows\system32\CmdLineExt.dll
2008-10-17 23:02 . 2008-03-05 15:56 3,786,760 --a------ c:\windows\system32\d3dx9_37.dll
2008-10-17 23:02 . 2007-10-12 15:14 3,734,536 --a------ c:\windows\system32\d3dx9_36.dll
2008-10-17 23:02 . 2008-03-05 14:56 1,420,824 --a------ c:\windows\system32\D3DCompiler_37.dll
2008-10-17 23:02 . 2007-10-12 14:14 1,374,232 --a------ c:\windows\system32\D3DCompiler_36.dll
2008-10-17 23:02 . 2008-03-05 15:03 479,752 --a------ c:\windows\system32\XAudio2_0.dll
2008-10-17 23:02 . 2008-02-05 23:07 462,864 --a------ c:\windows\system32\d3dx10_37.dll
2008-10-17 23:02 . 2007-10-02 09:56 444,776 --a------ c:\windows\system32\d3dx10_36.dll
2008-10-17 23:02 . 2007-10-22 02:39 267,272 --a------ c:\windows\system32\xactengine2_10.dll
2008-10-17 23:02 . 2007-07-19 23:57 267,112 --a------ c:\windows\system32\xactengine2_9.dll
2008-10-17 23:02 . 2008-03-05 15:03 238,088 --a------ c:\windows\system32\xactengine3_0.dll
2008-10-17 23:02 . 2008-03-05 15:00 25,608 --a------ c:\windows\system32\X3DAudio1_3.dll
2008-10-17 23:01 . 2008-10-17 23:01 <DIR> d-------- c:\program files\CAPCOM
2008-10-16 22:56 . 2008-10-22 03:11 50 --a------ c:\windows\MegaManager.INI
2008-10-16 21:59 . 2008-10-16 21:59 <DIR> d-------- c:\documents and settings\Simon\Application Data\Megaupload
2008-10-16 21:59 . 2008-10-16 21:59 <DIR> d-------- c:\documents and settings\Simon\Application Data\EmailNotifier
2008-10-16 21:59 . 2008-10-16 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\Megaupload
2008-10-16 21:59 . 2008-10-16 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\EmailNotifier
2008-10-16 21:58 . 2008-10-16 21:58 <DIR> d-------- c:\program files\Megaupload
2008-10-16 15:14 . 2008-10-28 23:23 <DIR> d-------- c:\program files\Foxit Software
2008-10-16 12:49 . 2006-10-26 18:56 32,592 --a------ c:\windows\system32\msonpmon.dll
2008-10-16 12:48 . 2008-10-28 14:43 <DIR> d-------- c:\program files\MSBuild
2008-10-16 12:48 . 2008-10-16 12:48 <DIR> d-------- c:\program files\Microsoft Works
2008-10-16 12:47 . 2008-10-16 12:47 <DIR> d-------- c:\program files\Microsoft.NET
2008-10-16 12:46 . 2008-10-21 12:36 <DIR> d-------- c:\windows\SHELLNEW
2008-10-16 12:46 . 2008-10-21 01:09 <DIR> d-------- c:\program files\Microsoft Visual Studio 8
2008-10-16 12:45 . 2008-10-16 12:45 <DIR> dr-h----- C:\MSOCache
2008-10-16 12:45 . 2008-10-21 12:37 <DIR> d-------- c:\documents and settings\All Users\Application Data\Microsoft Help
2008-10-16 12:37 . 2007-07-19 18:14 3,727,720 --a------ c:\windows\system32\d3dx9_35.dll
2008-10-16 12:37 . 2007-07-19 17:14 1,358,192 --a------ c:\windows\system32\D3DCompiler_35.dll
2008-10-16 12:37 . 2007-07-19 18:14 444,776 --a------ c:\windows\system32\d3dx10_35.dll
2008-10-16 12:30 . 2008-10-16 12:30 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Tools
2008-10-16 12:30 . 2008-10-16 12:30 160,792 --a------ c:\windows\system32\drivers\pctfw2.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-11-10 09:15 --------- d-----w c:\program files\Steam
2008-10-28 22:45 --------- d--h--w c:\program files\InstallShield Installation Information
2008-10-24 02:22 --------- d-----w c:\program files\DAEMON Tools Lite
2008-10-22 08:46 --------- d-----w c:\program files\Windows Media Connect 2
2008-10-19 04:01 --------- d-----w c:\documents and settings\Simon\Application Data\Bioshock
2008-10-16 20:01 --------- d-----w c:\program files\Common Files\InstallShield
2008-10-16 19:48 --------- d-----w c:\program files\microsoft frontpage
2008-10-16 19:40 717,296 ----a-w c:\windows\system32\drivers\sptd.sys
2008-10-16 19:40 --------- d-----w c:\documents and settings\Simon\Application Data\DAEMON Tools
2008-10-16 19:22 --------- d-----w c:\documents and settings\Simon\Application Data\vlc
2008-10-16 19:11 --------- d-----w c:\program files\VideoLAN
2008-10-16 17:46 --------- d-----w c:\program files\ATI Technologies
2008-10-16 08:30 --------- d-----w c:\program files\Microsoft IntelliType Pro
2008-10-16 08:30 --------- d-----w c:\program files\Microsoft IntelliPoint
2008-09-24 03:09 3,331,072 ----a-w c:\windows\system32\drivers\ati2mtag.sys
2008-09-24 02:18 425,984 ----a-w c:\windows\system32\ATIDEMGX.dll
2008-09-24 02:17 311,296 ----a-w c:\windows\system32\ati2dvag.dll
2008-09-24 02:09 10,772,480 ----a-w c:\windows\system32\atioglxx.dll
2008-09-24 02:07 188,416 ----a-w c:\windows\system32\atipdlxx.dll
2008-09-24 02:06 43,520 ----a-w c:\windows\system32\ati2edxx.dll
2008-09-24 02:06 26,112 ----a-w c:\windows\system32\Ati2mdxx.exe
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\Oemdspif.dll
2008-09-24 02:06 143,360 ----a-w c:\windows\system32\ati2evxx.dll
2008-09-24 02:04 581,632 ----a-w c:\windows\system32\ati2evxx.exe
2008-09-24 02:03 53,248 ----a-w c:\windows\system32\ATIDDC.DLL
2008-09-24 01:56 307,200 ----a-w c:\windows\system32\atiiiexx.dll
2008-09-24 01:54 4,008,864 ----a-w c:\windows\system32\ati3duag.dll
2008-09-24 01:38 2,399,744 ----a-w c:\windows\system32\ativvaxx.dll
2008-09-24 01:24 48,640 ----a-w c:\windows\system32\amdpcom32.dll
2008-09-24 01:20 380,928 ----a-w c:\windows\system32\atikvmag.dll
2008-09-24 01:19 39,424 ----a-w c:\windows\system32\atiadlxx.dll
2008-09-24 01:18 53,248 ----a-w c:\windows\system32\drivers\ati2erec.dll
2008-09-24 01:18 253,952 ----a-w c:\windows\system32\atiok3x2.dll
2008-09-24 01:18 17,408 ----a-w c:\windows\system32\atitvo32.dll
2008-09-24 01:12 573,440 ----a-w c:\windows\system32\ati2cqag.dll
2008-09-15 12:12 1,846,400 ----a-w c:\windows\system32\win32k.sys
2008-08-26 07:24 826,368 ----a-w c:\windows\system32\wininet.dll
2008-08-14 10:09 2,145,280 ----a-w c:\windows\system32\ntoskrnl.exe
2008-08-14 09:33 2,023,936 ----a-w c:\windows\system32\ntkrnlpa.exe
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\ProgramData ----

2008-10-25 18:35 3228 --a------ c:\programdata\Electronic Arts\EADM\cache\Prefs.ead
2008-03-20 11:55 57382 -ra------ c:\programdata\Electronic Arts\EADM\cache\logs\LogReader.html


((((((((((((((((((((((((((((( snapshot@2008-11-09_ 3.22.18.23 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-11-09 11:20:34 16,608 ----a-w c:\windows\gdrv.sys
+ 2008-11-10 05:01:04 16,608 ----a-w c:\windows\gdrv.sys
+ 2008-11-10 05:01:04 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_140.dat
+ 2008-11-10 05:01:28 16,384 ----atw c:\windows\Temp\Perflib_Perfdata_ac.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\URLSearchHooks]
"{0063BF63-BFFF-4B8F-9D26-4267DF7F17DD}"= "c:\windows\system32\dvmurl.dll" [2008-05-02 146528]

[HKEY_CLASSES_ROOT\clsid\{0063bf63-bfff-4b8f-9d26-4267df7f17dd}]
[HKEY_CLASSES_ROOT\dvmurl.DvmIEGoogleSearch]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"itype"="c:\program files\Microsoft IntelliType Pro\itype.exe" [2007-08-31 988584]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\ipoint.exe" [2007-08-31 1037736]
"GrooveMonitor"="c:\program files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-26 31016]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-08-01 61440]
"SmcService"="c:\progra~1\Sygate\SPF\smc.exe" [2004-10-15 2577632]
"SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-11-06 136600]
"avgnt"="c:\program files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-06-12 266497]
"RTHDCPL"="RTHDCPL.EXE" [2008-06-26 c:\windows\RTHDCPL.exe]
"SoundMan"="SOUNDMAN.EXE" [2008-06-18 c:\windows\SoundMan.exe]
"AlcWzrd"="ALCWZRD.EXE" [2008-06-19 c:\windows\alcwzrd.exe]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"nltide_2"="shell32" [X]

c:\documents and settings\Simon\Start Menu\Programs\Startup\
OneNote 2007 Screen Clipper and Launcher.lnk - c:\program files\Microsoft Office\Office12\ONENOTEM.EXE [2006-10-26 98632]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "c:\program files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2008-07-23 15:28 352256 c:\program files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\GIGABYTE\\EnergySaver\\run.exe"=
"c:\\Program Files\\Steam\\steamapps\\aznblacklabel\\team fortress 2\\hl2.exe"=
"c:\\Program Files\\Steam\\steamapps\\aznblacklabel\\counter-strike source\\hl2.exe"=
"c:\\Program Files\\Messenger\\msmsgs.exe"=
"c:\\Program Files\\Activision\\Call of Duty 4 - Modern Warfare\\iw3mp.exe"=
"c:\\Program Files\\Ubisoft\\Gearbox Software\\Brothers in Arms - Hell's Highway\\Binaries\\biahh.exe"=
"c:\\Program Files\\KONAMI\\Pro Evolution Soccer 2009\\pes2009.exe"=
"c:\\WINDOWS\\system32\\PnkBstrA.exe"=
"c:\\WINDOWS\\system32\\PnkBstrB.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FarCry2.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Launcher.exe"=
"c:\\Program Files\\Ubisoft\\Far Cry 2\\bin\\FC2Editor.exe"=
"c:\\Program Files\\Electronic Arts\\Dead Space\\Dead Space.exe"=

R1 pctfw2;pctfw2;c:\windows\system32\drivers\pctfw2.sys [2008-10-16 160792]
R2 GEST Service;GEST Service for program management.;c:\program files\GIGABYTE\EnergySaver\GSvr.exe [2008-07-11 80392]
R3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-05-20 93696]
.
Contents of the 'Scheduled Tasks' folder

2008-11-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe []
.
- - - - ORPHANS REMOVED - - - -

WebBrowser-{A057A204-BACC-4D26-C39E-35F1D2A32EC8} - (no file)



**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-11-10 10:21:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\vsdatant]
"ImagePath"=""
.
Completion time: 2008-11-10 10:22:11
ComboFix-quarantined-files.txt 2008-11-10 18:22:05
ComboFix2.txt 2008-11-09 11:22:33

Pre-Run: 456,792,420,352 bytes free
Post-Run: 456,730,931,200 bytes free

576 --- E O F --- 2008-11-10 11:52:57

#12 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 10 November 2008 - 01:39 PM

Hello Misuihc,

Malwarebytes' Anti-Malware

Please download Malwarebytes' Anti-Malware to your desktop.
  • Double-click mbam-setup.exe and follow the prompts to install the program.
  • At the end, be sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select Perform full scan, then click Scan.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Be sure that everything is checked, and click Remove Selected.
  • When completed, a log will open in Notepad. Please save it to a convenient location.
  • The log can also be found here:
    C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\mbam-log-date (time).txt
  • Post that log back here.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#13 Misuihc

Misuihc
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 10 November 2008 - 02:06 PM

Here is the Malwarebyte log:

Malwarebytes' Anti-Malware 1.30
Database version: 1380
Windows 5.1.2600 Service Pack 3

11/10/2008 11:05:54 AM
mbam-log-2008-11-10 (11-05-54).txt

Scan type: Full Scan (C:\|)
Objects scanned: 102087
Time elapsed: 15 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

#14 chryssi2001

chryssi2001

  • Members
  • 1,930 posts
  • OFFLINE
  •  
  • Local time:06:47 AM

Posted 11 November 2008 - 01:25 AM

Hello MIsuihc,

JavaRa

Please download JavaRa and unzip it to your desktop.

***Please close any instances of Internet Explorer before continuing!***
  • Double-click on JavaRa.exe to start the program.
  • From the drop-down menu, choose English and click on Select.
  • JavaRa will open; click on Remove Older Versions to remove the older versions of Java installed on your computer.
  • Click Yes when prompted. When JavaRa is done, a notice will appear that a logfile has been produced. Click OK.
  • A logfile will pop up. Please save it to a convenient location, and copy/paste it back in this topic.
  • In case the logfile doesn't pop up, you can find it here: C:\JavaRa.log
----------------------------------------------
Update Java Runtime

You are using an old version of Java. Sun's Java is sometimes updated in order to eliminate the exploitation of vulnerabilities in an existing version. For this reason, it's extremely important that you keep the program up to date, and also remove the older more vulnerable versions from your system. The most current version of Sun Java is: Java Runtime Environment Version 6 Update 7.
  • Go to http://java.sun.com/products/archive/j2se/6u7/index.html
  • Click on Download JRE
  • In Platform box choose Windows.
  • Check the box to Accept License Agreement and click Continue.
  • Click on Windows Offline Installation, click on the link under it which says "jre-6u7-windows-i586-p.exe" and save the downloaded file to your desktop.
  • Go to Start => Control Panel => Add or Remove Programs
  • Uninstall all old versions of Java (Java 3 Runtime Environment, JRE or JSE)
  • Install the new version by running the newly-downloaded file with the java icon which will be at your desktop, and follow the on-screen instructions.
  • Reboot your computer
----------------------------------------------
Run Kaspersky Online AV Scanner
Note: Internet Explorer should be used.

Please go to Kaspersky website and perform an online antivirus scan.
  • Read through the requirements and privacy statement and click on Accept button.
  • It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
  • When the downloads have finished, click on Settings.
  • Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
    • Spyware, Adware, Dialers, and other potentially dangerous programs
    • Archives
    • Mail databases
  • Click on My Computer under Scan and then put the kettle on!
  • Once the scan is complete, it will display the results. Click on View Scan Report.
  • You will see a list of infected items there. Click on Save Report As....
  • Save this report to a convenient place like your Desktop. Change the Files of type to Text file (.txt) before clicking on the Save button.
  • Copy and paste the report into your next reply along with a fresh HJT log and a description of how your PC is behaving.

Posted Image
Private Messages for personal support will be ignored. If you need help post in the forum.

#15 Misuihc

Misuihc
  • Topic Starter

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Local time:08:47 PM

Posted 11 November 2008 - 06:21 AM

Hijack this log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:19:19 AM, on 11/11/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16735)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\PnkBstrB.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft IntelliPoint\dpupdchk.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: DeviceVM Url Search Hook - {0063BF63-BFFF-4B8F-9D26-4267DF7F17DD} - C:\WINDOWS\system32\dvmurl.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
O2 - BHO: MegaIEMn - {bf00e119-21a3-4fd1-b178-3b8537e75c92} - C:\Program Files\Megaupload\Mega Manager\MegaIEMn.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [AlcWzrd] ALCWZRD.EXE
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\ipoint.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [nltide_2] regsvr32 /s /n /i:U shell32 (User 'Default user')
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~4\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~4\Office12\GR99D3~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Avira AntiVir Personal - Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal - Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: GEST Service for program management. (GEST Service) - Unknown owner - C:\Program Files\GIGABYTE\EnergySaver\GSvr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

--
End of file - 7094 bytes

Scan report:

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, November 11, 2008
Operating System: Microsoft Windows XP Professional Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, November 11, 2008 07:34:08
Records in database: 1379422
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area Folder
Scan statistics
Files scanned 55940
Threat name 0
Infected objects 0
Suspicious objects 0
Duration of the scan 00:58:15

No malware has been detected. The scan area is clean.
The selected area was scanned.


PC is running great, no choke ups, slowing down, or weird pop ups.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users