Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Just Got Infected With Spyware That Goes With Spy Shierff


  • This topic is locked This topic is locked
14 replies to this topic

#1 lostneedhelp

lostneedhelp

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 30 May 2006 - 03:11 PM

OK My computer has went nuts! I've tried running scans but the type of spyware I have, which I have no idea what it is but I know it's spyware, has disabled my virus protection. I've ran scans with SpyBot and Microsoft Anti-Spyware and Ad-Aware Spyware protection. Here is my HJT file. Please help!!

Logfile of HijackThis v1.99.1
Scan saved at 4:03:50 PM, on 5/30/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\ryads.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\39221349.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [bd70bf7.exe] C:\WINDOWS\System32\bd70bf7.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ryads.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [39221349.exe] C:\WINDOWS\System32\39221349.exe
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [39221349.exe] C:\Documents and Settings\Stephanie Clark\Local Settings\Application Data\39221349.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam.atomicmods.com//activex/AMC.cab
O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/bin/cursorcafe.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_21.dll
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:53 AM

Posted 01 June 2006 - 08:39 AM

Hello,

It's better to print out the next instructions or save it in notepad, because you also have to work in safe mode without networking support, so this page wouldn't be available then.
It is also important you don't miss a step and perform everything in the right order!!

* Please set your system to show all files; please see here if you're unsure how to do this.

Please download Ewido anti-malware ; it is a free version of the program.
  • Install ewido security suite
  • When installing, under "Additional Options" uncheck..
    • Install background guard
    • Install scan via context menu
  • Launch ewido by double-clicking on the icon on your desktop.
  • The program will now open to the main screen.
  • When you run ewido for the first time, you may get a warning "Database could not be found!". Click OK. We will fix this in a moment.
  • You will need to update ewido to the latest definition files.
    • On the left hand side of the main screen click update.
    • Then click on Start Update.
  • The update will start and a progress bar will show the updates being installed.
    (the status bar at the bottom will display ("Update successful")
If you are having problems with the updater, you can use this link to manually update ewido.
ewido manual updates
Don't run it yet.

* Reboot into Safe Mode`: ( without networking support !)
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - Default URLSearchHook is missing
O4 - HKLM\..\Run: [bd70bf7.exe] C:\WINDOWS\System32\bd70bf7.exe
O4 - HKLM\..\Run: [SysTray] C:\Program Files\ryads.exe
O4 - HKLM\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKLM\..\Run: [39221349.exe] C:\WINDOWS\System32\39221349.exe
O4 - HKLM\..\RunServices: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [39221349.exe] C:\Documents and Settings\Stephanie Clark\Local Settings\Application Data\39221349.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O16 - DPF: {EF98AF7B-1F54-4079-91BC-3996DEABA45A} (Sinstaller Class) - http://www.cursorcafe.com/bin/cursorcafe.cab
O21 - SSODL: DCOM Server - {2C1CD3D7-86AC-4068-93BC-A02304BB8C34} - C:\WINDOWS\System32\dcom_21.dll


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Program Files\ryads.exe
C:\WINDOWS\System32\0mcamcap.exe
C:\WINDOWS\System32\39221349.exe
C:\WINDOWS\System32\bd70bf7.exe
C:\Documents and Settings\Stephanie Clark\Local Settings\Application Data\39221349.exe
C:\WINDOWS\System32\dcom_21.dll

* Still in safe mode... * Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
* Open Ewido anti-malware
Click on scanner

* Click Complete System Scan and the scan will begin.
* During the scan it will prompt you to clean files, click OK
* When the scan is finished, look at the bottom of the screen and click the Save report button.
* Save the report to your desktop

Close Ewido

* Reboot your system back to normal mode.

* Perform an onlinescan with panda: (please use this scanner instead of any other scanner!)
Panda Online
- Once you are on the Panda site click the Scan your PC button
- A new window will open...click the Check Now button
- Enter your Country
- Enter your State/Province
- Enter your e-mail address and click send
- Select either Home User or Company
- Click the big Scan Now button
- If it wants to install an ActiveX component allow it
- It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
- When download is complete, click on Local Disks to start the scan
- When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.
Post the contents of the Panda scan report in your next reply,
together with the contents of ewido-log present on your desktop and a new HiJackThis log.

Extra instruction..

Open notepad and copy and paste next present in the quotebox in it:

cd %systemdrive%\
dir %Systemdrive%\39221349.exe /a h /s >> check1.txt
dir %Systemdrive%\bd70bf7.exe /a h /s >> check2.txt
copy check1.txt + check2.txt = look.txt
del check*.txt
start notepad look.txt


Save this as look.bat , choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and notepad should open.
Copy and paste the contents of it also in your next reply.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 01 June 2006 - 04:14 PM

Ewido-log

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 4:04:04 PM, 6/1/2006
+ Report-Checksum: 4111037E

+ Scan result:

C:\!KillBox\kblnnbjc.dll -> Adware.Agent : Cleaned with backup
C:\awuakqbw.exe -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@ads.pointroll[1].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@advertising[1].txt -> TrackingCookie.Advertising : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@image.masterstats[1].txt -> TrackingCookie.Masterstats : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@statse.webtrendslive[1].txt -> TrackingCookie.Webtrendslive : Cleaned with backup
C:\Documents and Settings\Mom\Cookies\mom@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Application Data\Microsoft\dcom_19.dll -> Backdoor.Agent.uu : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@adopt.specificclick[1].txt -> TrackingCookie.Specificclick : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@ads.addynamix[2].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@ads.pointroll[2].txt -> TrackingCookie.Pointroll : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@anat.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@as-us.falkag[2].txt -> TrackingCookie.Falkag : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@cbs.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@citi.bridgetrack[2].txt -> TrackingCookie.Bridgetrack : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@data3.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@data4.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@e-2dj6wjmyaocpidp.stats.esomniture[2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@edge.ru4[2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@findwhat[1].txt -> TrackingCookie.Findwhat : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@overture[2].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@perf.overture[1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@questionmarket[1].txt -> TrackingCookie.Questionmarket : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@reduxads.valuead[2].txt -> TrackingCookie.Valuead : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@revenue[2].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@server.iad.liveperson[1].txt -> TrackingCookie.Liveperson : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@serving-sys[2].txt -> TrackingCookie.Serving-sys : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@tribalfusion[2].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Local Settings\Temp\2237.exe -> Dropper.Agent.aqc : Cleaned with backup
C:\Documents and Settings\Stephanie Clark\Local Settings\Temporary Internet Files\Content.IE5\O62NPPXD\2237[2].exe -> Dropper.Agent.ako : Cleaned with backup
C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\A8LL3OQD\rzhtsdpb[1].txt -> Trojan.Sinowal.v : Cleaned with backup
C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\Q26JANIN\upbwlxiu[1].txt -> Hijacker.StartPage.adi : Cleaned with backup
C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\RXZ7UCPS\bmlgjeg[1].txt -> Downloader.Small.csn : Cleaned with backup
C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\SBM14TBC\2237[1].exe -> Dropper.Agent.ako : Cleaned with backup
C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\SBM14TBC\plfeqcamh[1].txt -> Not-A-Virus.Hoax.Win32.Renos.bw : Cleaned with backup
C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\X7JJD94A\kwvgb[1].txt -> Proxy.Small.bo : Cleaned with backup
C:\hijackthis\backups\backup-20060124-160231-756.dll -> Adware.PurityScan : Cleaned with backup
C:\Program Files\Common Files\Microsoft Shared\Web Folders\_ibm00007.exe -> Trojan.Agent.bu : Cleaned with backup
C:\Program Files\Microsoft AntiSpyware\Quarantine\17853331-D508-400A-AC09-74CE70\3925DDE5-CA05-4404-9E30-348D0C -> Backdoor.Agent.uu : Cleaned with backup
C:\Program Files\Trend Micro\Internet Security 2005\VSSES46N.001 -> Dropper.Agent.afj : Cleaned with backup
C:\splp.exe -> Trojan.Sinowal.v : Cleaned with backup
C:\tpjtsip.exe -> Downloader.Small.csn : Cleaned with backup
C:\WINDOWS\Downloaded Program Files\pi1_20.exe -> Downloader.Small.aal : Cleaned with backup
C:\WINDOWS\system32\dcom_19.dll -> Backdoor.Agent.uu : Cleaned with backup
C:\WINDOWS\system32\dxvwayws.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwbgfa.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwbkfg.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwblnj.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwbuvc.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwcjsl.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwcmxy.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwcoay.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwctqp.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwdofv.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwdsno.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwdwtb.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvweabr.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwewhy.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwfldf.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwfnay.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwfwke.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwglww.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwhfhl.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwhurg.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwhxbv.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwhxgt.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwieof.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwifol.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwinha.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwiyod.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwjbog.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwkcwk.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwkhbd.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwkvzm.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwkxsw.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwlgni.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwlxkr.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwlyye.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwmqwe.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwmyco.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwnbbf.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwnfqe.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwnjpv.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwnkru.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwnlyh.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwoirf.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwovse.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwqmia.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwqrxo.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwqzcd.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwrdnt.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwrfss.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwrnmq.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwrqii.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwseyn.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwsjbf.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwsssy.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwteqb.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwthmb.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwthrc.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwuitn.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwunfy.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwuytk.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwweyg.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwwmms.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwwnkk.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwxlff.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwxmib.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwycyu.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwyfbv.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwytuk.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwzarm.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwzgrg.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwzkmu.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwzsgk.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\dxvwzuya.exe -> Dropper.Agent.ako : Cleaned with backup
C:\WINDOWS\system32\igfmsr.exe -> Logger.VB.eh : Cleaned with backup
C:\WINDOWS\system32\maxd64.exe -> Trojan.Dialer.ay : Cleaned with backup
C:\WINDOWS\system32\TheMatrixHasYou.exe -> Proxy.Small.bo : Cleaned with backup
C:\WINDOWS\ttzrwyjn.dll -> Adware.BookedSpace : Cleaned with backup


::Report End

#4 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 01 June 2006 - 04:18 PM

Panda log

Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Mom\Cookies\mom@atwola[1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@42633854[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@atwola[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@belnk[1].txt
Spyware:Cookie/360i Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@ct.360i[2].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@dist.belnk[2].txt
Spyware:Cookie/FortuneCity Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@fortunecity[1].txt
Spyware:Cookie/Screensavers Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@i.screensavers[2].txt
Spyware:Cookie/Maxserving Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@maxserving[2].txt
Spyware:Cookie/OfferOptimizer Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@offeroptimizer[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@realmedia[2].txt
Spyware:Cookie/Searchportal Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@searchportal.information[1].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\Stephanie Clark\Cookies\stephanie clark@xiti[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Stephanie Clark\Desktop\win32delfkil\Process.exe
Spyware:spyware/surfsidekick Not disinfected C:\Documents and Settings\Stephanie Clark\Local Settings\Temporary Internet Files\Ssk.log
Virus:Exploit/LoadImage Disinfected C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\GTK1E7KT\cura[1].anr
Potentially unwanted tool:Application/KillApp.A Not disinfected C:\Documents and Settings\Steven Clark\Local Settings\Temporary Internet Files\Content.IE5\X7JJD94A\jrdpnmyk[1].htm
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:adware/secure32 Not disinfected C:\secure32.html
Adware:adware program Not disinfected C:\WINDOWS\ss3unstl.exe
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@belnk[1].txt
Spyware:Cookie/Belnk Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@dist.belnk[2].txt
Spyware:Cookie/empnads Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@empnads[1].txt
Spyware:Cookie/Rn11 Not disinfected C:\WINDOWS\system32\config\systemprofile\Cookies\system@rn11[2].txt
Adware:Adware/YazzleSudoku Not disinfected C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe[GS_SudokuInstaller.exe]
Adware:Adware/YazzleSudoku Not disinfected C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe[GS_SudokuInstaller.exe][Sudoku.exe]
Spyware:Spyware/Smitfraud Not disinfected C:\WINDOWS\system32\oleext.dll
Spyware:Spyware/Smitfraud Not disinfected C:\WINDOWS\uninstDsk.exe

#5 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 01 June 2006 - 04:20 PM

HJT log


Logfile of HijackThis v1.99.1
Scan saved at 5:07:06 PM, on 6/1/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe" /startintray
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - HKCU\..\Run: [39221349.exe] C:\Documents and Settings\Stephanie Clark\Local Settings\Application Data\39221349.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam.atomicmods.com//activex/AMC.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Webroot Spy Sweeper Engine (svcWRSSSDK) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\WRSSSDK.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



This is all I could get from the look.bat file. For some reason it wouldn't open. I would double-click the icon and it would flash a black window and that was it.

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:53 AM

Posted 01 June 2006 - 05:02 PM

Hello,

This is already a lot better.
Not sure how you created the look.bat, but I guess you did something wrong there. You posted the source code of this page instead.

Anyway, no need to run look.bat again, I already can see the other useraccounts present in your previouslog, so I can get my info from there.

But first, you have to disable your Microsoft Antispyware and Spysweeper, because they will interfere with next hijackthisfix.

Open Microsoft AntiSpyware.
Click on Tools, Settings.
In the left pane, click on Real-time Protection.
Under Startup Options uncheck: Enable the Microsoft AntiSpyware Security Agents on startup (recommended).
Under Real-time spyware threat protection uncheck: Enable real-time spyware threat protection (recommended).
After you uncheck these, click on the Save button and close Microsoft AntiSpyware.
Right click on the Microsoft AntiSpyware icon on the taskbar and select Shutdown Microsoft AntiSpyware.

Open SpySweeper and click Options | Program Options.
Uncheck Load at windows startup.
Shutdown spysweeper

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R3 - Default URLSearchHook is missing
O4 - HKCU\..\Run: [39221349.exe] C:\Documents and Settings\Stephanie Clark\Local Settings\Application Data\39221349.exe
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Using Windows Explorer, delete next files: (Some may be hidden, but I already explained how to unhide them before)

C:\secure32.html
C:\WINDOWS\ss3unstl.exe
C:\WINDOWS\system32\GS_SilentSudokuInstaller.exe
C:\WINDOWS\system32\oleext.dll
C:\WINDOWS\uninstDsk.exe

Look if next files are still present and delete them as well:

C:\Documents and Settings\Stephanie Clark\Local Settings\Application Data\39221349.exe
C:\Documents and Settings\Steven Clark\Local Settings\Application Data\39221349.exe
C:\Documents and Settings\Mom\Local Settings\Application Data\39221349.exe

Perform next step again (I asked you previously to perform, but I guess you missed that part):
Also perform this for the Mom account and Steven his account:

* Clean your Cache and Cookies in IE:

  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.


Since above infection comes in 80% of the cases with a rootkit, I want you to perform next as well..

* Download GMER from here:
http://www.gmer.net/gmer.zip

Unzip it and start GMER.exe
Click the rootkit-tab and click scan.

Once done, click the Copy button.
This will copy the results to clipboard.
Paste the results in your next reply together with a new hijackthislog.

Edited by miekiemoes, 01 June 2006 - 05:03 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 03 June 2006 - 04:47 PM

GMER 1.0.10.10111 - http://www.gmer.net
Rootkit 2006-06-03 17:14:53
Windows 5.1.2600 Service Pack 1


---- System - GMER 1.0.10 ----

SSDT SSI.SYS ZwCreateKey
SSDT SSI.SYS ZwCreateProcess
SSDT SSI.SYS ZwCreateProcessEx
SSDT SSI.SYS ZwDeleteKey
SSDT SSI.SYS ZwDeleteValueKey
SSDT SSI.SYS ZwRenameKey
SSDT SSI.SYS ZwSetInformationKey
SSDT SSI.SYS ZwSetValueKey

---- Devices - GMER 1.0.10 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSEIRP_MJ_READ [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP_POWER [F849A20C] SSI.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000001 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000002 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidIr \Device\_HID00000004#COLLECTION00000003 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSEIRP_MJ_READ [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP_POWER [F849A20C] SSI.SYS
Device \Driver\prodrv06 \Device\ProDrv06 IRP_MJ_CREATE E1BCC008
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS


Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000000#COLLECTION00000001 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\atapi \Device\Ide\IdePort0 IRP_MJ_SHUTDOWN [F8A3E661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 IRP_MJ_SHUTDOWN [F8A3E661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort1 IRP_MJ_SHUTDOWN [F8A3E661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort2 IRP_MJ_SHUTDOWN [F8A3E661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdePort3 IRP_MJ_SHUTDOWN [F8A3E661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-1b IRP_MJ_SHUTDOWN [F8A3E661] prosync1.sys
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-13 IRP_MJ_SHUTDOWN [F8A3E661] prosync1.sys
Device \Driver\prohlp02 \Device\ProHlp02 IRP_MJ_CREATE E143D830
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSEIRP_MJ_READ [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP_POWER [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSEIRP_MJ_READ [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP_POWER [F849A20C] SSI.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000001 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000002 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000003#COLLECTION00000003 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSEIRP_MJ_READ [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP [F849A20C] SSI.SYS
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP_POWER [F849A20C] SSI.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000001 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000002 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_CREATE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_CLOSEIRP_MJ_READ [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_WRITE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_QUERY_INFORMATION [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_INTERNAL_DEVICE_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_SHUTDOWN [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_SYSTEM_CONTROL [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_DEVICE_CHANGE [F86E776A] HIDCLASS.SYS
Device \Driver\HidUsb \Device\_HID00000001#COLLECTION00000003 IRP_MJ_PNP_POWER [F86E776A] HIDCLASS.SYS

---- Files - GMER 1.0.10 ----

File C:\Documents and Settings\Steven Clark\Application Data\acccore
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D20472
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D205A1
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D213A6
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D22EBA
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D233DE
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D2836C
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D28377
File C:\Documents and Settings\Steven Clark\Application Data\acccore\caches\bart\0\0201D29829

#8 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 03 June 2006 - 04:54 PM

File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Prefs\FE7DT3WU\rd-ht-racer-53-talladega-devversion-keys.txt
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Prefs\FE7DT3WU\rd-ht-racer-53-talladega-devversion-options.txt
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Prefs\FE7DT3WU\rd_snowfight_keys.txt
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Prefs\FE7DT3WU\rd_snowfight_settings.txt
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Prefs\FE7DT3WU\_RD_.txt
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Prefs\FE7DT3WU\_RD_Global.txt
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Prefs\FE7DT3WU\_RD_sbwaterslide-miniclip.txt
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\Shockwave Log
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\AndradeArts
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\AndradeArts\Enhancer
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\AndradeArts\Enhancer\Enhancer.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\DirectSound
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\DirectSound\DirectSound.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FlashAsset
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FlashAsset\Flash Asset.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FontAsset
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FontAsset\Font Asset.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FontXtra
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\FontXtra\Font Xtra.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\Macromixw32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\Macromixw32\Macromix.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\MixServices
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\MixServices\Mix Services.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\Shockwave3dAsset
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\Shockwave3dAsset\Shockwave 3d Asset.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SoundControl
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SoundControl\Sound Control.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SWA
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SWA\swadcmpr.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\SWA\SWASTRM.X32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\TextAsset
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\TextAsset\Text Asset.x32
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\TextXtra
File C:\Documents and Settings\Steven Clark\Application Data\Macromedia\Shockwave Player\xtras\download\MacromediaInc\TextXtra\TextXtra.x32
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\AddIns
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\classes.dat
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config\v1.0.3705
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config\v1.0.3705\security.config
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config\v1.0.3705\security.config.cch
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config\v1.0.3705\security.config.old
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config\v1.1.4322
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\CLR Security Config\v1.1.4322\security.config.cch
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Credentials
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Credentials\S-1-5-21-2104042533-4072868247-2345049254-1009
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Credentials\S-1-5-21-2662171276-3991984352-3621791064-500
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Crypto
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Crypto\RSA
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2104042533-4072868247-2345049254-1009
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2104042533-4072868247-2345049254-1009\a50ed73d8f1ab0205e3b589ffbbd79e7_61e58a6f-e9b9-44ed-8667-44c3cf247b35
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2662171276-3991984352-3621791064-500
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Crypto\RSA\S-1-5-21-2662171276-3991984352-3621791064-500\a18ca4003deb042bbee7a40f15e1970b_b436451d-de57-46d2-9648-7f022faa479a
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\dcom_19.dll
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\eHome
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\eHome\ehshell.config
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Excel
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Excel\XLSTART
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\FrontPage
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\FrontPage\CSS
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\FrontPage\Frames
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\FrontPage\Pages
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\FrontPage\State
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\FrontPage\State\CmdUI.PRF
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\HTML Help
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\HTML Help\hh.dat
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{0A28C610-EE06-4A33-BB56-A2155B524916}
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{0A28C610-EE06-4A33-BB56-A2155B524916}\ARPPRODUCTICON.exe
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO_ZoneDeluxeGamesManager.ico
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Collapse_Deluxe.exe
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Cubis_Deluxe.exe
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Mah_Jong_Tiles_Deluxe.exe
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__TextTwist_Deluxe.exe
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{66C018BD-6F16-4B32-B4CD-1DC1B21FBDFF}\ICO__Word_MoJo_Deluxe.exe
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut1.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut10.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut11.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut12.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut13.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut14.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut15.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut17.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut18.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut2.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut3.9204FDFA_6A8F_4BA0_9920_24E55B5031C8.ico
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut3_1.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut4.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut5.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut6.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut8.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\NewShortcut9.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\SetupProgFiles_CHT.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\SetupShortcut_DA.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\SetupShortcut_DE.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{745A92AF-53B4-41A7-91C3-9B026B1D5897}\SetupShortcut_JA.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut1.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut10.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut11.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut12.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut13.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut14.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut15.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut17.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut18.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut2.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut3.9204FDFA_6A8F_4BA0_9920_24E55B5031C8.ico
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut3_1.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut4.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut5.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut6.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut8.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\NewShortcut9.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\SetupProgFiles_CHT.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\SetupShortcut_DA.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\SetupShortcut_DE.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Installer\{BCC992E5-5C81-4066-9B55-03DC10B24D21}\SetupShortcut_JA.9204FDFA_6A8F_4BA0_9920_24E55B5031C8
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\brndlog.bak
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\brndlog.txt
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Desktop.htt
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Internet Explorer Wallpaper.bmp
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\America Online 9.0.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\desktop.ini
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\Launch Internet Explorer Browser.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\MUSICMATCH Jukebox.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\QuickTime Player.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\RealOne Player.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\Show Desktop.scf
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Internet Explorer\Quick Launch\Windows Media Player.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Media Catalog
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Media Catalog\artgal50.mmc
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Media Player
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Media Player\01469A3A.wpl
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Media Player\01686C5F.wpl
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Media Player\Skins
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\MMC
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\Access.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\Excel.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\FP.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\MSO1033.acl
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\MSOut11.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\MSOutlo.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\OIS11.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\PowerP11.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\PowerPoi.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\Recent
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\Word.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Office\Word11.pip
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\OIS
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\OIS\Toolbars.dat
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Outlook
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Outlook\extend.dat
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Outlook\Microsoft Outlook Internet Settings.FAV
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Outlook\Microsoft Outlook Internet Settings.srs
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\PowerPoint
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\PowerPoint\PPT.pcb
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Proof
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Proof\CUSTOM.DIC
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Proof\custom.dicProof
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect\CREDHIST
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect\S-1-5-21-2104042533-4072868247-2345049254-1009
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect\S-1-5-21-2104042533-4072868247-2345049254-1009\e900e587-4b21-42d7-8c8b-a57d22b0d1a3
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect\S-1-5-21-2104042533-4072868247-2345049254-1009\Preferred
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect\S-1-5-21-2662171276-3991984352-3621791064-500
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect\S-1-5-21-2662171276-3991984352-3621791064-500\c328988d-ca16-44c1-98fb-b3ddc91f9f00
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Protect\S-1-5-21-2662171276-3991984352-3621791064-500\Preferred
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\SystemCertificates
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\SystemCertificates\My
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\SystemCertificates\My\Certificates
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\SystemCertificates\My\CRLs
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\SystemCertificates\My\CTLs
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Templates
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Templates\Normal.dot
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Windows
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Windows\Themes
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Windows\Themes\Custom.theme
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Word
File C:\Documents and Settings\Steven Clark\Application Data\Microsoft\Word\STARTUP
File C:\Documents and Settings\Steven Clark\Application Data\Otto
File C:\Documents and Settings\Steven Clark\Application Data\Otto\config.set
File C:\Documents and Settings\Steven Clark\Application Data\Real
File C:\Documents and Settings\Steven Clark\Application Data\Real\Msg
File C:\Documents and Settings\Steven Clark\Application Data\Real\Msg\Category.dat
File C:\Documents and Settings\Steven Clark\Application Data\Real\Msg\SCategory.dat
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealMediaSDK
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealMediaSDK\c0a80100.txt
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealMediaSDK\cookies.txt
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\Favorites
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\Favorites\Audio
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\Favorites\Radio
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\Favorites\Streaming Clips
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\Favorites\Video
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\Favorites\Web Pages
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\norestore.ste
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\realplayer.ste
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\skins
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\skins\data
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\skins\data\normal
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\skins\data\normal\state.ini
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealOne Player\Temp
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\Favorites
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\Favorites\Audio
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\Favorites\Radio
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\Favorites\Video
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\Favorites\Web Pages
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\History
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\History\2337681.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\History\Russian Easter Overture.lnk
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\lclkdb.son
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\realplayer.ste
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\skins
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\skins\data
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\skins\data\normal
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\skins\data\normal\imgcache.dat
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\skins\data\normal\state.ini
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\Temp
File C:\Documents and Settings\Steven Clark\Application Data\Real\RealPlayer\viz.ini
File C:\Documents and Settings\Steven Clark\Application Data\Real\rnadmin
File C:\Documents and Settings\Steven Clark\Application Data\Real\rnadmin\rnsystem.dat
File C:\Documents and Settings\Steven Clark\Application Data\SampleView
File C:\Documents and Settings\Steven Clark\Application Data\Sonic
File C:\Documents and Settings\Steven Clark\Application Data\Sonic\RecordNow!
File C:\Documents and Settings\Steven Clark\Application Data\Sonic\RecordNow!\Favorites
File C:\Documents and Settings\Steven Clark\Application Data\Sonic\Update Manager
File C:\Documents and Settings\Steven Clark\Application Data\Sonic\Update Manager\sumdb.dat
File C:\Documents and Settings\Steven Clark\Application Data\Sun
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\ext
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\file
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-33ca256f-625ae1d2.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\arc.zip-33ca256f-625ae1d2.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\code.zip-45f23655-4a039277.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\code.zip-45f23655-4a039277.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\code.zip-66d5c4af-43881336.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\code.zip-66d5c4af-43881336.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\data-flyordie2.zip-53e331c8-604dfe0d.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\data-flyordie2.zip-53e331c8-604dfe0d.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\data-flyordie2.zip-7f324bee-55961b88.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\data-flyordie2.zip-7f324bee-55961b88.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FcPred.jar-2a25bd4b-30f5d63f.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\FcPred.jar-2a25bd4b-30f5d63f.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\hpimagemap.jar-7bf00441-1656bd79.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\hpimagemap.jar-7bf00441-1656bd79.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Inviter.jar-496ed587-7f34c09a.idx
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Inviter.jar-496ed587-7f34c09a.zip
File C:\Documents and Settings\Steven Clark\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\Inviter.jar-496ed687-3eb059b7.idx
File C:\Documents a

#9 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 03 June 2006 - 04:55 PM

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 5:52:09 PM, on 6/3/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\39221349.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Real\RealOne Player\RealPlay.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam.atomicmods.com//activex/AMC.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:53 AM

Posted 04 June 2006 - 02:37 AM

Hi, you didn't post the complete log from GMER. Look where it cut off in the previous log and paste the rest from there.
It's a good idea to rescan again with GMER and paste the results in notepad first.

Also, end next process via taskmanager:
39221349.exe

Then delete the file C:\WINDOWS\System32\39221349.exe

If the GMER log is too big, zip the log (rightclick on the log and choose send to > compressed zipped folder. Please email the zip to:

miekiemoesATmalware-research.co.uk

remember to replace the AT in the above line with an @
(the reason to not post a complete valid e-mail address in a post is so spammers can't harvest the addresses)

Edited by miekiemoes, 04 June 2006 - 02:40 AM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#11 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 06 June 2006 - 01:22 PM

New HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 2:19:41 PM, on 6/6/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=8116
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn6\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2005\pccguide.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1143062618\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe" -quiet
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSub.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1136156960734
O16 - DPF: {745395C8-D0E1-4227-8586-624CA9A10A8D} (AxisMediaControl Class) - http://webcam.atomicmods.com//activex/AMC.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:53 AM

Posted 06 June 2006 - 01:31 PM

Hello,

Your hjackthislog looks clean again.
Please update your sun Java:
Updating Java:
  • Go to Start > Control Panel double-click on the Software icon > add/remove programs.
  • Search in the list for all previous installed versions of Java. (J2SE Runtime Environment.... )
    It should have next icon next to it: Posted Image
    Select it and click Remove.
  • Then Download and install the newest version from here:http://www.java.com/en/download/manual.jsp
You didn't send me the GMER log, so can you please send it to me as I already asked in your previous post:

If the GMER log is too big, zip the log (rightclick on the log and choose send to > compressed zipped folder. Please email the zip to:

miekiemoesATmalware-research.co.uk

remember to replace the AT in the above line with an @
(the reason to not post a complete valid e-mail address in a post is so spammers can't harvest the addresses)


Let me know in your next reply how things are running now. :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 lostneedhelp

lostneedhelp
  • Topic Starter

  • Members
  • 56 posts
  • OFFLINE
  •  
  • Local time:11:53 PM

Posted 07 June 2006 - 05:19 PM

OK everything is working fine. I have one ?. Are the other two users on my computer also clean of the virus?

#14 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:53 AM

Posted 07 June 2006 - 05:27 PM

The log looked OK.

Yes, the other users should be also clean, because after all, it's all the same Windows and system32- folder :thumbsup:

And scanners scan all profiles/users.

Glad I could help. :flowers:

To keep this clean in the future, I would suggest the following things:

Install Spywareblaster
SpywareBlaster doesn`t scan and clean for so-called spyware, but prevents it from being installed in the first place. It blocks the popular spyware ActiveX controls, and also prevents the installation of any of them via a webpage.

* Avoid illegal sites, because that's where most malware is present.
* Don't click on links inside popups.
* Don't click on links in spam messages claiming to offer anti-spyware software; because most of these so called removers ARE spyware.
* Download free software only from sites you know and trust. Because a lot of free software can bundle other software, including spyware.

Let your antispywarescanner(s) scan frequently and don't forget to update before.

And I do suggest you perform an online virusscan once in a while. (Housecall and/or Bitdefender). Because what one virusscanner can't find another one maybe can.
Also make sure that your virusscanner, the one that is installed on your system is always up to date!

Make sure your windows has the latest updates, so visit asap: http://windowsupdate.microsoft.com/ to update to SP2

If you are having XP SP2, read here how to configure Security Features for Internet Explorer:
http://www.microsoft.com/technet/security/...xp/iesecxp.mspx

Also visit this Free Online Scanner for PC Health and Safety and Microsoft Security At Home for tips to Protect your Pc, Protect yourself and Protect your Family.

More info on how to prevent malware you can also find here (By Tony Klein)
and here: http://wiki.castlecops.com/Malware_Prevent...nt_Re-infection

If you want to fight back the Malware Writers that have made your life a misery, please take a look here.

Happy surfing again! :huh:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:05:53 AM

Posted 09 June 2006 - 12:43 AM

Since this issue appears resolved ... this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users