Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Mucho Spy/mal/ad Infection.


  • This topic is locked This topic is locked
18 replies to this topic

#1 ibemasterlee

ibemasterlee

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 05 November 2006 - 02:42 PM

I've got everything, from spamming pop-ups, talking pop-ups, and desktop downloaders. I noticed my internet is way slower after being infected and getting around on my computer (desktop, system folders, etc) is more clunky and sometimes even freezes. I've run spybot and adaware several times but i noticed the same ones always appear, particularly Command Service. Anyways, here's my HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:30:08 AM, on 11/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\WUogTGVl\command.exe
C:\WINDOWS\scvhost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\xload.exe
C:\Program Files\Common Files\{24C1D88C-0898-1033-0728-040406220001}\Update.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\HijackThis.exe

O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [WinMedia] "C:\DOCUME~1\YJLEE~1\LOCALS~1\Temp\843584.exe "
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nmstarter/NMStarter23.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\YJLEE~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\WUogTGVl\command.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:26 AM

Posted 05 November 2006 - 05:40 PM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is strange that there are no 02's or 020's in the log.
A new infection is hiding these entries from a Hijackthis scan.
This means certain infections cannot be seen and are therefore hidden to the helper.
Go to this folder where Hijackthis is kept and rename the hijackthis application to "showme".
This can be done by right clicking on the program and clicking "rename".
Press enter, then open "showme.exe" by double clicking.
Post a new Hijackthis log from the newly named application.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

David

#3 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 05 November 2006 - 06:17 PM

Yo David, thanks for helping me out. I really appreciate it! Here're the logs, in the order that you asked.

888Bar
Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Alcohol 120% (Trial Version)
AOL Instant Messenger
Ares 1.8.1
ATI Catalyst Control Center
ATI Display Driver
Azureus
Battlefield 2™
Battlefield 2142 Demo
BSPlayer
Clubbox 파일전송관리자
Combined Community Codec Pack 2005-11-17 (Remove Only)
DAEMON Tools
DHzer0point Catalyst 0.63
Direct Show Ogg Vorbis Filter (remove only)
Drempels (remove only)
ffdshow (remove only)
FHMcom_OxleyStrip Screen Saver
HijackThis 1.99.1
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 2
J2SE Runtime Environment 5.0 Update 5
J2SE Runtime Environment 5.0 Update 6
J2SE Runtime Environment 5.0 Update 9
Lexmark Z600 Series
Linksys EasyLink Advisor 1.5 (1010)
MAIET Gunz
Matrix-ks
Matroska Pack - Lazy Man's MKV 0.9.6
MediaMonkey 2.4
media-motor.net
MediaTickets by OIN
Microsoft .NET Framework 1.1
Microsoft Office PowerPoint Viewer 2003
mIRC
MSI Live Update 3
Nero - Burning Rom
Oblivion
Oblivion - BTmod 2.20
onefineday01
onefineday02
Picasa 2
PowerDVD
PowerISO
QuickTime
RealPlayer Basic
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB912919)
Sonique
Spybot - Search & Destroy 1.4
Steam
TeamSpeak 2 RC2
Trend Micro Internet Security
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB910437)
uskyonline.com
Viewpoint Media Player
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WordPerfect Office 12
Xfire (remove only)



YJ Lee - 06-11-05 15:07:03.79 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\YJ Lee\Desktop"

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{78C92372-AFF2-4F33-B515-DD60FADDEE18}]
@=""

[HKEY_CLASSES_ROOT\clsid\{78C92372-AFF2-4F33-B515-DD60FADDEE18}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{78C92372-AFF2-4F33-B515-DD60FADDEE18}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{78C92372-AFF2-4F33-B515-DD60FADDEE18}\InprocServer32]
@="C:\\WINDOWS\\system32\\jqsh400.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\enjol1131.dll
C:\WINDOWS\system32\gpr2l39o1.dll
C:\WINDOWS\system32\jqsh400.dll
C:\WINDOWS\system32\jtjm0711e.dll
C:\WINDOWS\system32\jtp4077qe.dll
C:\WINDOWS\system32\r6r60g9se6.dll
C:\WINDOWS\system32\rtmps.dll


Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\YJ Lee\Application Data\Dxcknwrd.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\offun.exe
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\batty2
C:\Program Files\cmfibula
C:\Program Files\Deskbar
C:\Program Files\network monitor
C:\Program Files\Common Files\{34C1D88C-0898-1033-0728-040406220001}
C:\Program Files\Common Files\{24C1D88C-0898-1033-0728-040406220001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\SMANTE~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\spool32.exe
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\SMANTE~1\ctxad-499.0000
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\SMANTE~1\ctxad-499.0001
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\STEM~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1\r?ndll.exe
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-05 to 2006-11-05 ))))))))))))))))))))))))))))))))))


2006-11-05 11:52 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-05 11:28 60,436 --a------ C:\WINDOWS\system32\xuoscydj.dll
2006-11-04 22:48 50,912 --a------ C:\WINDOWS\iconu.exe
2006-11-04 12:04 131,072 --a------ C:\WINDOWS\system32\cruxcsrp.dll
2006-11-04 00:11 60,436 --a------ C:\WINDOWS\system32\mctwmkwy.dll
2006-11-03 23:10 60,436 --a------ C:\WINDOWS\system32\cvkrpxcn.dll
2006-11-02 23:10 60,436 --a------ C:\WINDOWS\system32\kndtxjom.dll
2006-11-02 01:36 45,056 --a------ C:\WINDOWS\octeltpop.exe
2006-11-02 01:36 139,264 --a------ C:\WINDOWS\MirarSetup_876057.exe
2006-11-02 01:34 1,685 --a------ C:\WINDOWS\metasploit.exe
2006-11-01 22:59 60,436 --a------ C:\WINDOWS\system32\ndxnmyis.dll
2006-11-01 13:53 42,736 --a------ C:\WINDOWS\icont.exe
2006-10-31 22:59 60,436 --a------ C:\WINDOWS\system32\nlisovoe.dll
2006-10-30 21:56 98,324 --a------ C:\WINDOWS\system32\sthspyyv.dll
2006-10-30 21:56 110,612 --a------ C:\WINDOWS\system32\xuxelhwt.exe
2006-10-29 15:40 98,324 --a------ C:\WINDOWS\system32\nhtotiwx.dll
2006-10-29 15:25 98,324 --a------ C:\WINDOWS\system32\dcqtfhan.dll
2006-10-26 22:57 49,428 --a------ C:\WINDOWS\system32\irlrntbx.dll
2006-10-26 09:15 98,324 --a------ C:\WINDOWS\system32\opfhfuoj.dll
2006-10-25 22:57 98,324 --a------ C:\WINDOWS\system32\tflqnlnh.dll
2006-10-25 22:57 183,478 --a------ C:\WINDOWS\srvmscqiij.exe
2006-10-25 22:57 122,900 --a------ C:\WINDOWS\system32\ysayefra.dll
2006-10-25 22:56 53,248 --a------ C:\WINDOWS\ab_01.exe
2006-10-25 22:56 40,973 ---hs---- C:\WINDOWS\system32\iifcbcy.dll
2006-10-25 22:56 40,960 --a------ C:\WINDOWS\mmputt.exe
2006-10-25 22:56 2,560 --a------ C:\WINDOWS\ac3_0007.exe
2006-10-25 22:56 187,495 --a------ C:\WINDOWS\Setup99.exe
2006-10-25 15:20 69,070 --a------ C:\WINDOWS\system32\lzx32.sys
2006-10-25 15:19 95,232 --a------ C:\WINDOWS\system32\palfaqb.dll
2006-10-25 15:19 72,704 --a------ C:\WINDOWS\system32\jerehuc.dll
2006-10-21 11:45 94,720 --a------ C:\WINDOWS\system32\xcfsogj.dll
2006-10-21 11:45 72,704 --a------ C:\WINDOWS\system32\plqzuxm.dll
2006-10-21 11:45 50,251 --a------ C:\WINDOWS\system32\taskdir~.exe
2006-10-21 11:45 49,739 --a------ C:\WINDOWS\system32\adirss.exe
2006-10-21 05:35 108,936 --a------ C:\WINDOWS\system32\_mzu_stonedrv3.exe
2006-10-21 05:35 104,448 --a------ C:\WINDOWS\system32\rpcc.dll
2006-10-21 05:35 10,752 --a------ C:\WINDOWS\system32\MZU_DRV.sys
2006-10-19 21:07 837,041 ---hs---- C:\WINDOWS\system32\mnnmp.bak2
2006-10-19 21:07 67,604 --a------ C:\WINDOWS\system32\nisxeysf.exe
2006-10-18 21:07 98,324 --a------ C:\WINDOWS\system32\wnhnkonr.dll
2006-10-18 21:07 684,084 ---hs---- C:\WINDOWS\system32\pmnnm.dll
2006-10-18 21:07 522,726 ---hs---- C:\WINDOWS\system32\mnnmp.bak1
2006-10-18 21:07 143,380 --a------ C:\WINDOWS\system32\dqpltxnh.exe
2006-10-18 19:21 545,801 --a------ C:\WINDOWS\system32\awvtr.dll
2006-10-18 19:17 45,065 --a------ C:\WINDOWS\TIELT001.exe
2006-10-18 19:17 433,632 --a------ C:\WINDOWS\hancerdoem.exe
2006-10-18 19:17 25,105 --a------ C:\WINDOWS\idlemg.exe
2006-10-18 19:17 217,346 --a------ C:\WINDOWS\Setup90.exe
2006-10-18 19:17 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-10-18 19:17 14,617 --a------ C:\WINDOWS\xload.exe
2006-10-18 19:15 32,768 --a------ C:\WINDOWS\kzggpkqp.exe
2006-10-18 19:14 939 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-18 19:12 45,056 --a------ C:\WINDOWS\uyjqojs.exe
2006-10-18 19:12 45,056 --a------ C:\WINDOWS\next06.exe
2006-10-18 19:12 40,973 ---hs---- C:\WINDOWS\system32\urqqqom.dll
2006-10-18 19:12 36,864 --a------ C:\WINDOWS\unstall.exe
2006-10-18 19:12 353,280 --a------ C:\WINDOWS\system32\1011_113.exe
2006-10-18 19:12 32,768 --a------ C:\WINDOWS\DXCecho.exe
2006-10-18 19:12 2,560 --a------ C:\WINDOWS\ac3_0018.exe
2006-10-18 19:12 186,381 --a------ C:\WINDOWS\srvnsylfgz.exe
2006-10-18 19:12 147,456 --a------ C:\WINDOWS\aff_0006.exe
2006-10-18 19:12 1,288 --a------ C:\WINDOWS\system32\kddfed77.sys
2006-10-12 17:58 4,205 --a------ C:\WINDOWS\system32\apigrab.dll
2006-10-11 09:31 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-10-11 09:31 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-11 09:31 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-10-11 09:31 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-11 09:31 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-10-11 09:31 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-10-11 09:30 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-10-08 21:20 61,440 --a------ C:\WINDOWS\system32\kdfmod.dll
2006-10-08 21:20 57,344 --a------ C:\WINDOWS\system32\kdfapi.dll
2006-10-08 21:20 48,128 --a------ C:\WINDOWS\system32\Kdfhok.dll
2006-10-08 21:20 343,040 --a------ C:\WINDOWS\system32\kdfinj.dll
2006-10-08 21:20 155,648 --a------ C:\WINDOWS\system32\kdfmgr.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-11-05 15:10 -------- d-------- C:\Program Files\Common Files
2006-11-05 11:52 -------- d-------- C:\Program Files\Internet Explorer
2006-11-05 11:50 -------- d-------- C:\Program Files\Java
2006-11-04 20:32 -------- d-------- C:\Program Files\Common Files\ouuf
2006-11-04 18:06 -------- d-------- C:\Program Files\Sonique
2006-11-02 16:37 -------- d-------- C:\Program Files\Linksys EasyLink Advisor
2006-11-02 10:06 18304 --ahs---- C:\Documents and Settings\YJ Lee\Application Data\E4695AB0CC814669B4CAFCCCE2BDF432.sta
2006-11-02 10:06 17209 --ahs---- C:\Documents and Settings\YJ Lee\Application Data\E4695AB0CC814669B4CAFCCCE2BDF432.rul
2006-10-31 00:05 -------- d-------- C:\Program Files\Windows Media Player
2006-10-30 21:56 -------- d-------- C:\Program Files\VSAdd-in
2006-10-25 22:57 -------- d-------- C:\Program Files\PSDream
2006-10-25 22:56 -------- d-------- C:\Program Files\Windows NT
2006-10-25 15:19 108936 --a------ C:\WINDOWS\system32\_mzu_stonedrv3.exe
2006-10-25 11:27 -------- d-------- C:\Program Files\PSCastor
2006-10-21 12:43 -------- d-------- C:\Program Files\Winamp
2006-10-21 05:34 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-18 19:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-18 19:20 -------- d-------- C:\Documents and Settings\YJ Lee\Application Data\Azureus
2006-10-18 19:17 -------- d-------- C:\Program Files\em
2006-10-18 19:05 -------- d-------- C:\Program Files\PowerISO
2006-10-10 21:58 -------- d-------- C:\Program Files\AIM
2006-10-10 10:25 -------- d-------- C:\Program Files\Electronic Arts
2006-10-09 06:42 -------- d-------- C:\Program Files\Common Files\Netmarble
2006-09-23 19:25 -------- d-------- C:\Program Files\Common Files\NSV
2006-09-20 09:25 -------- d-------- C:\Program Files\screensavers
2006-09-17 15:57 -------- d-------- C:\Program Files\IrfanView
2006-09-10 20:07 24029 --a------ C:\WINDOWS\system32\lvsrev.exe
2006-09-09 01:31 30988 --a------ C:\WINDOWS\system32\drivers\scdemu.sys
2006-08-29 08:19 1130496 -ra------ C:\WINDOWS\system32\clubbox.exe
2006-08-28 08:21 327680 -ra------ C:\WINDOWS\system32\grdupdater.exe
2006-08-11 05:56 139264 -ra------ C:\WINDOWS\system32\downengine.dll
2006-08-07 07:17 61440 --a------ C:\WINDOWS\system32\BattyRun2.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SoniqueQuickStart"="C:\\Program Files\\Sonique\\sqstart.exe -nostick"
"Steam"=""
"EasyLinkAdvisor"="\"C:\\Program Files\\Linksys EasyLink Advisor\\LinksysAgent.exe\" /startup"
"PSDream"="\"C:\\Program Files\\PSDream\\PSDream.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\pccguide.exe\""
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\PCClient.exe\""
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Internet Security\\TMOAgent.exe\" /run"
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 -noicon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"PWRISOVM.EXE"="C:\\Program Files\\PowerISO\\PWRISOVM.EXE"
"xload"="\"C:\\WINDOWS\\xload.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\Common Files\\sajyf.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,ea,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
"ClassicShell"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbcy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-05 15:11:07.23
C:\ComboFix.txt ... 06-11-05 15:11




Logfile of HijackThis v1.99.1
Scan saved at 3:14:41 PM, on 11/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\scvhost.exe
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\WINDOWS\xload.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\showme.exe

O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\system32\iifcbcy.dll
O2 - BHO: (no name) - {DFB62316-8995-4F2E-8925-59B2BC3850D2} - C:\WINDOWS\system32\pmnnm.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nmstarter/NMStarter23.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\YJLEE~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: iifcbcy - C:\WINDOWS\SYSTEM32\iifcbcy.dll
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\system32\pmnnm.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:26 AM

Posted 06 November 2006 - 03:53 AM

Hello there ibemasterlee,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

888Bar
media-motor.net
MediaTickets by OIN
Viewpoint Media Player


Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\system32\iifcbcy.dll
O2 - BHO: (no name) - {DFB62316-8995-4F2E-8925-59B2BC3850D2} - C:\WINDOWS\system32\pmnnm.dll
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKCU\..\Run: [PSDream] "C:\Program Files\PSDream\PSDream.exe"
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsregt.exe
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {00001023-A15C-11D4-97A4-0050BF0FBE67} (NetmarbleStarter23 Class) - http://download.netmarble.com/web/nmstarter/NMStarter23.cab
O16 - DPF: {072039AB-2117-4ED5-A85F-9B9EB903E021} (NowStarter Control) - http://www.clubbox.co.kr/neo.fld/NowStarter.cab
O16 - DPF: {92E82FBB-DA00-41E0-ABFE-95482E21A4F6} (NMTransX Module) - http://download.netmarble.com/NMChatX/NMTransX.cab
O16 - DPF: {A4508A45-F1C4-40F3-99B4-0CA08AC77E3B} (Kdfense8 Control) - http://download.netmarble.com/kdefence/kdfense8.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\YJLEE~1\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O20 - Winlogon Notify: iifcbcy - C:\WINDOWS\SYSTEM32\iifcbcy.dll
O20 - Winlogon Notify: pmnnm - C:\WINDOWS\system32\pmnnm.dll
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\xuoscydj.dll
C:\WINDOWS\iconu.exe
C:\WINDOWS\system32\cruxcsrp.dll
C:\WINDOWS\system32\mctwmkwy.dll
C:\WINDOWS\system32\cvkrpxcn.dll
C:\WINDOWS\system32\kndtxjom.dll
C:\WINDOWS\octeltpop.exe
C:\WINDOWS\MirarSetup_876057.exe
C:\WINDOWS\metasploit.exe
C:\WINDOWS\system32\ndxnmyis.dll
C:\WINDOWS\icont.exe
C:\WINDOWS\system32\nlisovoe.dll
C:\WINDOWS\system32\sthspyyv.dll
C:\WINDOWS\system32\xuxelhwt.exe
C:\WINDOWS\system32\nhtotiwx.dll
C:\WINDOWS\system32\dcqtfhan.dll
C:\WINDOWS\system32\irlrntbx.dll
C:\WINDOWS\system32\opfhfuoj.dll
C:\WINDOWS\system32\tflqnlnh.dll
C:\WINDOWS\srvmscqiij.exe
C:\WINDOWS\system32\ysayefra.dll
C:\WINDOWS\ab_01.exe
C:\WINDOWS\system32\iifcbcy.dll
C:\WINDOWS\mmputt.exe
C:\WINDOWS\ac3_0007.exe
C:\WINDOWS\Setup99.exe
C:\WINDOWS\system32\palfaqb.dll
C:\WINDOWS\system32\jerehuc.dll
C:\WINDOWS\system32\xcfsogj.dll
C:\WINDOWS\system32\plqzuxm.dll
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\system32\adirss.exe
C:\WINDOWS\system32\_mzu_stonedrv3.exe
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\MZU_DRV.sys
C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\nisxeysf.exe
C:\WINDOWS\system32\wnhnkonr.dll
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\dqpltxnh.exe
C:\WINDOWS\system32\awvtr.dll
C:\WINDOWS\TIELT001.exe
C:\WINDOWS\hancerdoem.exe
C:\WINDOWS\idlemg.exe
C:\WINDOWS\Setup90.exe
C:\WINDOWS\system32\lzx32.sys
C:\WINDOWS\ac3_0002.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\kzggpkqp.exe
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\uyjqojs.exe
C:\WINDOWS\next06.exe
C:\WINDOWS\system32\urqqqom.dll
C:\WINDOWS\unstall.exe
C:\WINDOWS\system32\1011_113.exe
C:\WINDOWS\DXCecho.exe
C:\WINDOWS\ac3_0018.exe
C:\WINDOWS\srvnsylfgz.exe
C:\WINDOWS\aff_0006.exe
C:\WINDOWS\system32\kddfed77.sys
C:\WINDOWS\system32\apigrab.dll
C:\WINDOWS\system32\_mzu_stonedrv3.exe
C:\WINDOWS\system32\dwdsregt.exe
C:\WINDOWS\system32\lvsrev.exe
C:\WINDOWS\system32\clubbox.exe
C:\WINDOWS\system32\grdupdater.exe
C:\WINDOWS\system32\BattyRun2.dll
C:\WINDOWS\scvhost.exe
C:\Program Files\Common Files\sajyf.html


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please delete the following folders:

C:\Program Files\BHO Plugin
C:\Program Files\Common Files\ouuf
C:\Program Files\VSAdd-in
C:\Program Files\PSDream
C:\Program Files\PSCastor

Now reboot back to normal mode.

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifcbcy]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnnm]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please download VundoFix.exe to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove.
VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Open notepad and copy and paste the following text in the quote box into the window:

sc stop lsass
sc delete lsass

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fix.bat and let the program run.

Download the Rustock.b removal tool from the link below...and save it to your desktop:
http://www.uploads.ejvindh.net/rustbfix.exe

Double click on rustbfix.exe to run the tool.
If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer.
The reboot will probably take quite a while, and perhaps 2 reboots will be needed.
But this will happen automatically.
After the reboot 2 logfiles will open (C\avenger.txt & C\rustbfix\pelog.txt).
Post the content of these logfiles along with a new HijackThis log.
Also post the Vundofix log.

David

#5 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 November 2006 - 05:21 PM

VundoFix V6.2.7

Checking Java version...

Java version is 1.5.0.2

Java version is 1.5.0.5

Java version is 1.5.0.6

Java version is 1.5.0.9

Scan started at 1:33:34 PM 11/6/2006

Listing files found while scanning....

C:\WINDOWS\system32\dcqtfhan.dll
C:\WINDOWS\system32\iifcbcy.dll
C:\WINDOWS\system32\jerehuc.dll
C:\WINDOWS\system32\nhtotiwx.dll
C:\WINDOWS\system32\opfhfuoj.dll
C:\WINDOWS\system32\plqzuxm.dll
C:\WINDOWS\system32\sthspyyv.dll
C:\WINDOWS\system32\tflqnlnh.dll
C:\WINDOWS\system32\wnhnkonr.dll
C:\WINDOWS\system32\dqpltxnh.exe
C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dcqtfhan.dll
C:\WINDOWS\system32\dcqtfhan.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifcbcy.dll
C:\WINDOWS\system32\iifcbcy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jerehuc.dll
C:\WINDOWS\system32\jerehuc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nhtotiwx.dll
C:\WINDOWS\system32\nhtotiwx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opfhfuoj.dll
C:\WINDOWS\system32\opfhfuoj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\plqzuxm.dll
C:\WINDOWS\system32\plqzuxm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sthspyyv.dll
C:\WINDOWS\system32\sthspyyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tflqnlnh.dll
C:\WINDOWS\system32\tflqnlnh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wnhnkonr.dll
C:\WINDOWS\system32\wnhnkonr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dqpltxnh.exe
C:\WINDOWS\system32\dqpltxnh.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnm.dll
C:\WINDOWS\system32\pmnnm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnnmp.ini
C:\WINDOWS\system32\mnnmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnnmp.bak1
C:\WINDOWS\system32\mnnmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\mnnmp.bak2
C:\WINDOWS\system32\mnnmp.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\iifcbcy.dll
C:\WINDOWS\system32\iifcbcy.dll Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 2:18:56 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\showme.exe

O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\system32\iifcbcy.dll (file missing)
O2 - BHO: (no name) - {E7FD2806-6AD0-462C-BB88-8E5FB72FBF75} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\oqsgeqiq.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\scvhost.exe (file missing)
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

#6 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 November 2006 - 05:37 PM

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\foxowikv

*******************

Script file located at: \??\C:\WINDOWS\eonqqych.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver PE386 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

************************* Rustock.b-fix -- By ejvindh *************************
Mon 11/06/2006 14:19:59.17


******************* Pre-run Status of system *******************

Rootkit driver PE386 is found. Starting the unload-procedure....
Examine the Avenger-logfile in order to assess the success of the unload-procedure

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 65568
Total size: 65568 bytes.
Attempting to remove ADS...
system32: deleted 65568 bytes in 1 streams.


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No streams found.


******************************* End of Logfile ********************************

Logfile of HijackThis v1.99.1
Scan saved at 2:34:45 PM, on 11/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\notepad.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\showme.exe

O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-055240E8F907} - C:\WINDOWS\system32\iifcbcy.dll (file missing)
O2 - BHO: (no name) - {E7FD2806-6AD0-462C-BB88-8E5FB72FBF75} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\oqsgeqiq.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

#7 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 06 November 2006 - 07:15 PM

A lot of the problems I've had are nearly gone but I ran Spybot while waiting on your next post. What came up was Smitfraud-C and Smitfraud-C.Toolbar888 as well as overrides on MicrosoftWindowsSecurityCenter. Just thought this could help out.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:26 AM

Posted 07 November 2006 - 11:57 AM

Excellent work! :thumbsup:
The log is looking much better.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O2 - BHO: (no name) - {C6E00DDA-FEAF-4D28-ADC4-05524E8F907} - C:\WINDOWS\system32\iifcbcy.dll (file missing)
O2 - BHO: (no name) - {E7FD2806-6AD0-462C-BB88-8E5FB72FBF75} - C:\WINDOWS\system32\pmnnm.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\oqsgeqiq.dll
O15 - Trusted Zone: *.sxload.com


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download: DelDomains.inf
Locate DelDomains.inf right-click and select: Install
Note: you will not see any on-screen action ...
This will remove all entries in the Trusted, Restricted,and Enhanced Security Configuration Zones.
Note once you do this, any previous restricted zone hacks (spywareblaster, ie-spyad, etc) will need to be reapplyed.

Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\system32\oqsgeqiq.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say Yes.

After the reboot, download and save Blacklight to your desktop.
Double-click blbeta.exe then accept the agreement.
Click on scan then click next,
You'll see a list of all items found.
Do not choose for rename yet! I want to see the log first; legitimate items can also be present.
There is a log on your desktop with the name fsbl.xxxxxxx.log (the xxxxxxx stand for numbers)
Post the contents of the log in your next reply.

Are you able to tell me where SpyBot is finding these files?
Could they not be deleted? Let me know..

Post back with a new HJT log and the blacklight log and we can proceed from there.
David

#9 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 07 November 2006 - 07:15 PM

Here ya go:

Logfile of HijackThis v1.99.1
Scan saved at 4:12:10 PM, on 11/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\showme.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe


11/07/06 16:00:28 [Info]: BlackLight Engine 1.0.47 initialized
11/07/06 16:00:28 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/07/06 16:00:28 [Note]: 7019 4
11/07/06 16:00:28 [Note]: 7005 0
11/07/06 16:00:30 [Note]: 7006 0
11/07/06 16:00:30 [Note]: 7011 652
11/07/06 16:00:30 [Note]: 7026 0
11/07/06 16:00:30 [Note]: 7026 0
11/07/06 16:00:39 [Note]: FSRAW library version 1.7.1020
11/07/06 16:10:05 [Note]: 2000 1012
11/07/06 16:10:05 [Note]: 2000 1012
11/07/06 16:10:05 [Note]: 2000 1012
11/07/06 16:11:26 [Note]: 7007 0


As for SpyBot, I can delete them but they come back occassionally. I'll run another check now to see.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:26 AM

Posted 08 November 2006 - 12:56 PM

Great, let's do one last scan, before I give you the all-clear.

Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply, along with a new Hijackthis log.

David

#11 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 08 November 2006 - 01:29 PM

I think I'm stuck with one problem: OIN or OuterInfo .. pop-ups. But still! I'm way better off than before.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:26 AM

Posted 08 November 2006 - 01:35 PM

We haven't finished yet!
Please continue with the instructions if you wish.

#13 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 08 November 2006 - 03:50 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:47:38 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Common Files\{24C1D88C-0898-1033-0728-040406220001}\Update.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\DOCUME~1\YJLEE~1\APPLIC~1\SSTEM~1\nslookup.exe
C:\Program Files\?racle\r?gsvr32.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\showme.exe

R3 - URLSearchHook: (no name) - {67945D68-C086-BD24-86FE-B06935D98CC5} - C:\WINDOWS\system32\vvhfjnn.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {67945D68-C086-BD24-86FE-B06935D98CC5} - C:\WINDOWS\system32\vvhfjnn.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - HKCU\..\Run: [Aama] "C:\DOCUME~1\YJLEE~1\APPLIC~1\SSTEM~1\nslookup.exe" -vt yazr
O4 - HKCU\..\Run: [Scazled] C:\Program Files\?racle\r?gsvr32.exe
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Wednesday, November 08, 2006 12:47:22 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 8/11/2006
Kaspersky Anti-Virus database records: 225907
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\
K:\

Scan Statistics:
Total number of scanned objects: 60108
Number of viruses found: 67
Number of infected objects: 280 / 0
Number of suspicious objects: 0
Duration of the scan process: 00:31:26

Infected Object Name / Virus Name / Last Action
C:\!KillBox\ab_01.exe Infected: Trojan-Downloader.Win32.Agent.bai skipped
C:\!KillBox\ac3_0002.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\!KillBox\ac3_0007.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\!KillBox\ac3_0018.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\!KillBox\adirss.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\!KillBox\cvkrpxcn.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\dcqtfhan.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\idlemg.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\!KillBox\irlrntbx.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\kndtxjom.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\lvsrev.exe Infected: Trojan-Spy.Win32.Flecsip.k skipped
C:\!KillBox\lzx32.sys Infected: Backdoor.Win32.Pakes skipped
C:\!KillBox\mctwmkwy.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\metasploit.exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\!KillBox\mmputt.exe Infected: Trojan-Clicker.Win32.VB.qd skipped
C:\!KillBox\MZU_DRV.sys Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\!KillBox\ndxnmyis.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\nhtotiwx.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\nlisovoe.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\opfhfuoj.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\rpcc.dll Infected: Trojan-Proxy.Win32.Dlena.ac skipped
C:\!KillBox\scvhost.exe Infected: Backdoor.Win32.SdBot.alz skipped
C:\!KillBox\Setup90.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\!KillBox\Setup90.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\!KillBox\Setup90.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\!KillBox\Setup90.exe NSIS: infected - 3 skipped
C:\!KillBox\sthspyyv.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\taskdir~.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\!KillBox\tflqnlnh.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\uyjqojs.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\!KillBox\wnhnkonr.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\xload.exe Infected: Trojan-Downloader.Win32.VB.wz skipped
C:\!KillBox\xuoscydj.dll Infected: Trojan.Win32.BHO.g skipped
C:\!KillBox\_mzu_stonedrv3.exe Infected: Trojan-Dropper.Win32.Agent.axo skipped
C:\71210005.exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\YJ Lee\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\glog.log Object is locked skipped
C:\Documents and Settings\YJ Lee\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent.log Object is locked skipped
C:\Documents and Settings\YJ Lee\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_gdql_lsa.log Object is locked skipped
C:\Documents and Settings\YJ Lee\Application Data\GTek\GTUpdate\AUpdate\EasyLinkAdvisor\LinksysAgent_GTActions.log Object is locked skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-20dedf7f-7f1f6394.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-20dedf7f-7f1f6394.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-20dedf7f-7f1f6394.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-20dedf7f-7f1f6394.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-23722627-49eddddd.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-23722627-49eddddd.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-23722627-49eddddd.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-23722627-49eddddd.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b44fa43-1a8751b4.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b44fa43-1a8751b4.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b44fa43-1a8751b4.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3b44fa43-1a8751b4.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3c8e82ee-545bee26.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3c8e82ee-545bee26.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3c8e82ee-545bee26.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3c8e82ee-545bee26.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-2cad0ebd.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-2cad0ebd.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-2cad0ebd.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-3dbcfe4d-2cad0ebd.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-7c246901.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-7c246901.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-7c246901.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-652b4e66-7c246901.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-5b24781d.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-5b24781d.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-5b24781d.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6699b1e6-5b24781d.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-20713acc.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-20713acc.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-20713acc.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-6840731f-20713acc.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-79352e87-21d52eab.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-79352e87-21d52eab.zip/VerifierBug.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-79352e87-21d52eab.zip/Beyond.class Infected: Trojan-Downloader.Java.OpenConnection.aa skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count.jar-79352e87-21d52eab.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-78d6a057-1bcf3c5e.zip/Beyond.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-78d6a057-1bcf3c5e.zip/BlackBox.class Infected: Exploit.Java.ByteVerify skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-78d6a057-1bcf3c5e.zip/VerifierBug.class Infected: Trojan.Java.ClassLoader.ai skipped
C:\Documents and Settings\YJ Lee\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\count3.jar-78d6a057-1bcf3c5e.zip ZIP: infected - 3 skipped
C:\Documents and Settings\YJ Lee\Application Data\sуstem\nslookup.exe Infected: Trojan-Downloader.Win32.PurityScan.da skipped
C:\Documents and Settings\YJ Lee\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Application Data\ApplicationHistory\cli.exe.c88dbd71.ini.inuse Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temp\!update.exe Infected: Trojan-Downloader.Win32.PurityScan.da skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temp\b104.exe/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temp\b104.exe/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temp\b104.exe NSIS: infected - 2 skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temp\metasploit.exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temp\Perflib_Perfdata_4f8.dat Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temp\Perflib_Perfdata_8dc.dat Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\9VN6GE61\exefile[1].exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\LDE0SHLV\1[1].exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\LDE0SHLV\1[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\M204B9A5\get_video[1] Object is locked skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\M204B9A5\r[1].exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\MX0XUTGD\2_z[1].htm Infected: Exploit.HTML.IESlice.d skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\ODQFC1AF\!update-4220[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.da skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\VAKFVX8X\104[1].net/stream/data0002 Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\VAKFVX8X\104[1].net/stream Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\Documents and Settings\YJ Lee\Local Settings\Temporary Internet Files\Content.IE5\VAKFVX8X\104[1].net NSIS: infected - 2 skipped
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\backups\backup-20061018-204534-912.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\backups\backup-20061107-155612-222.dll Infected: Trojan.Win32.BHO.g skipped
C:\Documents and Settings\YJ Lee\ntuser.dat Object is locked skipped
C:\Documents and Settings\YJ Lee\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Windows NT\vilehedac.html Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\spool32.exe Infected: Trojan-Downloader.Win32.PurityScan.cx skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP523\A0090807.exe Infected: Trojan-Downloader.Win32.PurityScan.da skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP523\A0090808.exe Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP532\A0092363.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP532\A0092363.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP532\A0092390.exe Infected: Trojan-Downloader.Win32.Small.bjy skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0095800.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0095808.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0095809.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096815.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096821.exe Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096862.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096879.exe Infected: Trojan-Downloader.Win32.PurityScan.cq skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096886.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096887.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096888.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096889.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096890.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096893.exe Infected: Trojan-Downloader.Win32.Adload.di skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096894.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096898.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096899.dll Infected: Trojan-Downloader.Win32.Agent.agw skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096900.dll Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0096901.exe Infected: Trojan.Win32.Qhost.hs skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097045.exe Infected: Trojan-Clicker.Win32.VB.is skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097054.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097054.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097056.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097059.exe Infected: Trojan-Downloader.Win32.Agent.ala skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097060.exe Infected: Trojan-Downloader.Win32.TSUpdate.o skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097062.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097063.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097063.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097063.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097078.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097079.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097080.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097084.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097085.exe Infected: Backdoor.Win32.Hupigon.cj skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097087.exe Infected: Trojan-Downloader.Win32.Qoologic.bj skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP568\A0097110.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097172.dll Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097174.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097178.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097179.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097180.exe Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097181.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097182.exe Infected: Trojan-Clicker.Win32.Small.ja skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097183.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097187.exe Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097188.exe Infected: Trojan-Dropper.Win32.Agent.axo skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097189.exe Infected: Packed.Win32.PePatch.dw skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097190.exe Infected: Trojan-Downloader.Win32.Small.cxx skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097191.exe Infected: Trojan-Proxy.Win32.Xorpix.ar skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097192.exe Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097193.exe Infected: Trojan-Downloader.Win32.Small.cyb skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097194.exe Infected: Trojan-Downloader.Win32.Small.dwx skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097195.exe Infected: Trojan-Downloader.Win32.Small.dht skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097196.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097197.exe Infected: Trojan.Win32.Dialer.ay skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097198.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP570\A0097200.exe Infected: Trojan-Downloader.Win32.Small.dgk skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP571\A0097259.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP571\A0097260.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP571\A0097268.dll Infected: Email-Worm.Win32.Banwarum.f skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP571\A0097275.dll Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP574\A0097360.dll Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP574\A0097363.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP574\A0097372.exe Infected: Trojan-Dropper.Win32.Agent.axo skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP574\A0097373.sys Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP574\A0097374.exe Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097421.exe Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097422.exe Infected: Trojan-Downloader.Win32.PurityScan.da skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097427.exe Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097428.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097447.exe Infected: Trojan-Downloader.Win32.Adload.hg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097449.exe Infected: Trojan-Downloader.Win32.Qoologic.at skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097451.exe Infected: Trojan-Downloader.Win32.Adload.fu skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097452.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097453.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097455.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097455.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097455.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP575\A0097458.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP576\A0097494.exe Infected: Trojan-Downloader.Win32.VB.anl skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0097555.dll Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0098555.dll Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099553.dll Infected: Trojan-Proxy.Win32.Agent.ji skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099661.exe Infected: Trojan-Downloader.Win32.VB.anl skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099662.exe Infected: Trojan-Clicker.Win32.VB.is skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099664.dll Infected: Trojan-Downloader.Win32.Small.ctp skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099665.exe Infected: Trojan.Win32.VB.atp skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099666.exe Infected: Trojan-Downloader.Win32.VB.anl skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099667.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099673.exe Infected: Trojan-Downloader.Win32.Small.cyb skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099674.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099675.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099676.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099677.exe Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099678.exe Infected: Trojan.Win32.Dialer.ay skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099683.exe Infected: Trojan-Proxy.Win32.Agent.kn skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099684.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099685.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP577\A0099686.exe Infected: Trojan-Downloader.Win32.Qoologic.c skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099776.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099779.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099779.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099779.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099779.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099782.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099787.exe/stream/data0002 Infected: Trojan.Win32.KillProc.p skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099787.exe/stream Infected: Trojan.Win32.KillProc.p skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099787.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099788.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP579\A0099788.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP580\A0099802.exe Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP580\A0099811.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP580\A0099812.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP580\A0099813.exe Infected: Trojan-Downloader.Win32.VB.anl skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP581\A0100872.sys Infected: Trojan-Clicker.Win32.Costrat.l skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP581\A0101836.exe Infected: Backdoor.Win32.Pakes skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP581\A0101837.exe Infected: Trojan-PSW.Win32.Sinowal.bh skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102830.exe Infected: Trojan-Downloader.Win32.Tibs.gc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102833.exe Infected: Trojan-Downloader.Win32.Tibs.gc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102841.dll Infected: Trojan-Downloader.Win32.Agent.awb skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102842.dll Infected: Trojan-Downloader.Win32.Agent.aol skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102849.exe Infected: Trojan-Downloader.Win32.Tibs.jb skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102850.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102851.exe Infected: Trojan-Downloader.Win32.VB.anl skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102852.exe Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP582\A0102962.exe Infected: Trojan-Downloader.Win32.TSUpdate.l skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP583\A0103003.exe Infected: Trojan-Downloader.Win32.PurityScan.dc skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP583\A0103012.exe/stream/data0002 Infected: Trojan.Win32.KillProc.p skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP583\A0103012.exe/stream Infected: Trojan.Win32.KillProc.p skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP583\A0103012.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103196.exe Infected: Trojan-Downloader.Win32.Small.buy skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103197.exe/data0002 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103197.exe/data0005 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103197.exe/data0006 Infected: Trojan.Win32.VB.tg skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103197.exe NSIS: infected - 3 skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103198.sys Infected: Backdoor.Win32.Pakes skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103199.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103200.exe Infected: Trojan-Downloader.Win32.VB.wz skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103203.exe Infected: Trojan-Dropper.Win32.Agent.mu skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103209.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103214.exe Infected: Trojan-Spy.Win32.Flecsip.k skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103218.exe Infected: Backdoor.Win32.SdBot.alz skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103229.exe Infected: Trojan-Downloader.Win32.TSUpdate.r skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103231.exe Infected: Trojan-Downloader.Win32.TSUpdate.n skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103233.exe Infected: Trojan-Downloader.Win32.TSUpdate.f skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103235.dll Infected: Trojan-Clicker.Win32.Small.ja skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103236.exe Infected: Trojan-Clicker.Win32.Small.ja skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103246.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103248.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103249.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103251.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103252.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP584\A0103253.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP589\A0103813.dll Infected: Trojan.Win32.BHO.g skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP589\A0103830.exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\System Volume Information\_restore{58851BC0-FD4D-4E4C-831F-C6569B0825C1}\RP590\change.log Object is locked skipped
C:\tskmgr.exe/data0006 Infected: Trojan-Dropper.Win32.VB.nn skipped
C:\tskmgr.exe NSIS: infected - 1 skipped
C:\VundoFix Backups\dcqtfhan.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\nhtotiwx.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\opfhfuoj.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\sthspyyv.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\tflqnlnh.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\VundoFix Backups\wnhnkonr.dll.bad Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\71210005.exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\WINDOWS\ab_01.exe Infected: Trojan-Downloader.Win32.Agent.bai skipped
C:\WINDOWS\ac3_0007.exe Infected: Trojan-Downloader.Win32.Small.cyh skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\metasploit.exe Infected: Trojan-Downloader.Win32.Agent.baf skipped
C:\WINDOWS\mmputt.exe Infected: Trojan-Clicker.Win32.VB.qd skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\security\templates\wbak.dll Infected: Trojan-Downloader.Win32.Agent.bac skipped
C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log Object is locked skipped
C:\WINDOWS\SoftwareDistribution\DataStore\Logs\tmp.edb Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{C08D5390-4203-4F26-9543-0DC8C8FED538}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\adirss.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\ACEEvent.evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cvkrpxcn.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\irlrntbx.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\kndtxjom.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\mctwmkwy.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\MZU_DRV.sys Infected: Trojan-Proxy.Win32.Small.bo skipped
C:\WINDOWS\system32\ndxnmyis.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\nlisovoe.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\rpcc.dll Infected: Trojan-Proxy.Win32.Dlena.ac skipped
C:\WINDOWS\system32\taskdir.exe_tobedeleted Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\WINDOWS\system32\taskdir~.exe Infected: Trojan-Downloader.Win32.Tibs.ir skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\xuoscydj.dll Infected: Trojan.Win32.BHO.g skipped
C:\WINDOWS\system32\_mzu_stonedrv3.exe Infected: Trojan-Dropper.Win32.Agent.axo skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:02:26 AM

Posted 08 November 2006 - 06:02 PM

I see what went on here, you were reinfected.
Until this PC is clean I recommend you use the PC sparingly.

Click Start > Control Panel.

Double-click the Java icon in the control panel.
The Java Control Panel appears.
Click Settings under Temporary Internet Files.
The Temporary Files Settings dialog box appears.

Click Delete Files.
The Delete Temporary Files dialog box appears.

There are three options on this window to clear the cache.
- Delete Files
- View Applications
- View Applets
Click OK on Delete Temporary Files window.
Note: This deletes all the Downloaded Applications and Applets from the cache.

Click OK on Temporary Files Settings window.
Note: If you want to delete a specific application and applet from the cache, click on View Application and View Applet options respectively.

Open the Hijackthis program.
Click on Open Misc Tools Section.
Click on the backups tab at the top.
Click the button "Delete All", this will delete infected backups.

Please empty this folder:
C:\!KillBox

Please delete this folder:
C:\VundoFix Backups

Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R3 - URLSearchHook: (no name) - {67945D68-C086-BD24-86FE-B06935D98CC5} - C:\WINDOWS\system32\vvhfjnn.dll
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {67945D68-C086-BD24-86FE-B06935D98CC5} - C:\WINDOWS\system32\vvhfjnn.dll
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [Aama] "C:\DOCUME~1\YJLEE~1\APPLIC~1\SSTEM~1\nslookup.exe" -vt yazr
O4 - HKCU\..\Run: [Scazled] C:\Program Files\?racle\r?gsvr32.exe


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\71210005.exe
C:\tskmgr.exe
C:\WINDOWS\ab_01.exe
C:\WINDOWS\ac3_0007.exe
C:\WINDOWS\metasploit.exe
C:\WINDOWS\mmputt.exe
C:\WINDOWS\security\templates\wbak.dll
C:\WINDOWS\system32\adirss.exe
:\WINDOWS\system32\cvkrpxcn.dll
C:\WINDOWS\system32\irlrntbx.dll
C:\WINDOWS\system32\kndtxjom.dll
C:\WINDOWS\system32\mctwmkwy.dll
C:\WINDOWS\system32\MZU_DRV.sys
C:\WINDOWS\system32\ndxnmyis.dll
C:\WINDOWS\system32\nlisovoe.dll
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\system32\taskdir.exe
C:\WINDOWS\system32\taskdir~.exe
C:\WINDOWS\system32\xuoscydj.dll
C:\WINDOWS\system32\_mzu_stonedrv3.exe
C:\WINDOWS\system32\vvhfjnn.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

I want you to clean your cache and cookies from your internet explorer.
There are a few infected files which need to be removed from your system.

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Also, please clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

Please run Combofix again and post its log.
Also post a new Hijackthis log.

In addition, Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

David

#15 ibemasterlee

ibemasterlee
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:05:26 PM

Posted 08 November 2006 - 07:43 PM

YJ Lee - 06-11-08 16:36:59.40 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\YJ Lee\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\wnsintsv.exe
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Cowabanga
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\Common Files\{34C1D88C-0898-1033-0728-040406220001}
C:\Program Files\Common Files\{24C1D88C-0898-1033-0728-040406220001}

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SSTEM~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\SMANTE~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\spool32.exe
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\SMANTE~1\ctxad-499.0000
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SMANTE~1\SMANTE~1\ctxad-499.0001
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SSTEM~1\nslookup.exe
C:\QooBox\Purity\Documents and Settings\YJ Lee\Application Data\SSTEM~1\SSTEM~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\YJ Lee\My Documents\STEM~1
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\Common Files\ICROSO~1.NET
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM3~1\r?ndll.exe
C:\QooBox\Purity\Program Files\RACLE~1\r?gsvr32.exe
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\RACLE~1
C:\QooBox\Purity\WINDOWS\system32\PPATCH~1


((((((((((((((((((((((((((((((( Files Created from 2006-10-08 to 2006-11-08 ))))))))))))))))))))))))))))))))))


2006-11-08 09:02 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-08 01:34 1,685 --a------ C:\WINDOWS\71210005.exe
2006-11-06 14:02 1,492 --a------ C:\WINDOWSvundofix.reg
2006-11-05 11:52 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-03 23:10 60,436 --------- C:\WINDOWS\system32\cvkrpxcn.dll
2006-11-02 01:36 45,056 --------- C:\WINDOWS\octeltpop.exe
2006-11-02 01:36 139,264 --------- C:\WINDOWS\MirarSetup_876057.exe
2006-10-30 21:56 110,612 --------- C:\WINDOWS\system32\xuxelhwt.exe
2006-10-25 22:57 183,478 --------- C:\WINDOWS\srvmscqiij.exe
2006-10-25 22:57 122,900 --------- C:\WINDOWS\system32\ysayefra.dll
2006-10-25 22:56 187,495 --------- C:\WINDOWS\Setup99.exe
2006-10-25 15:19 95,232 --------- C:\WINDOWS\system32\palfaqb.dll
2006-10-21 11:45 94,720 --------- C:\WINDOWS\system32\xcfsogj.dll
2006-10-19 21:07 67,604 --------- C:\WINDOWS\system32\nisxeysf.exe
2006-10-18 19:21 545,801 --------- C:\WINDOWS\system32\awvtr.dll
2006-10-18 19:17 45,065 --------- C:\WINDOWS\TIELT001.exe
2006-10-18 19:17 433,632 --------- C:\WINDOWS\hancerdoem.exe
2006-10-11 09:31 68,888 --a------ C:\WINDOWS\system32\xinput1_3.dll
2006-10-11 09:31 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2006-10-11 09:31 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2006-10-11 09:31 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2006-10-11 09:31 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2006-10-11 09:31 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2006-10-11 09:30 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2006-10-08 21:20 61,440 --a------ C:\WINDOWS\system32\kdfmod.dll
2006-10-08 21:20 57,344 --a------ C:\WINDOWS\system32\kdfapi.dll
2006-10-08 21:20 48,128 --a------ C:\WINDOWS\system32\Kdfhok.dll
2006-10-08 21:20 343,040 --a------ C:\WINDOWS\system32\kdfinj.dll
2006-10-08 21:20 155,648 --a------ C:\WINDOWS\system32\kdfmgr.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-08 16:38 -------- d-------- C:\Program Files\Common Files
2006-11-08 10:22 -------- d-------- C:\Program Files\Sonique
2006-11-08 09:02 -------- d-------- C:\Program Files\Windows Media Player
2006-11-08 09:02 -------- d-------- C:\Program Files\Internet Explorer
2006-11-08 09:00 -------- d-------- C:\Program Files\Outlook Express
2006-11-08 09:00 -------- d-------- C:\Program Files\Common Files\System
2006-11-07 22:35 -------- d-------- C:\Program Files\AIM
2006-11-06 14:57 -------- d-------- C:\Program Files\Azureus
2006-11-06 14:57 -------- d-------- C:\Documents and Settings\YJ Lee\Application Data\Azureus
2006-11-06 14:54 -------- d-------- C:\Program Files\Java
2006-11-06 14:50 -------- d-------- C:\Program Files\screensavers
2006-11-06 13:17 -------- d-------- C:\Program Files\Viewpoint
2006-11-02 16:37 -------- d-------- C:\Program Files\Linksys EasyLink Advisor
2006-11-02 10:06 18304 --ahs---- C:\Documents and Settings\YJ Lee\Application Data\E4695AB0CC814669B4CAFCCCE2BDF432.sta
2006-11-02 10:06 17209 --ahs---- C:\Documents and Settings\YJ Lee\Application Data\E4695AB0CC814669B4CAFCCCE2BDF432.rul
2006-10-25 22:56 -------- d-------- C:\Program Files\Windows NT
2006-10-21 12:43 -------- d-------- C:\Program Files\Winamp
2006-10-18 19:51 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-10-18 19:17 -------- d-------- C:\Program Files\em
2006-10-10 10:25 -------- d-------- C:\Program Files\Electronic Arts
2006-10-09 06:42 -------- d-------- C:\Program Files\Common Files\Netmarble
2006-09-23 19:25 -------- d-------- C:\Program Files\Common Files\NSV
2006-09-17 15:57 -------- d-------- C:\Program Files\IrfanView
2006-09-12 21:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 07:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 04:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 01:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 03:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll
2006-08-11 05:56 139264 -ra------ C:\WINDOWS\system32\downengine.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SoniqueQuickStart"="C:\\Program Files\\Sonique\\sqstart.exe -nostick"
"Steam"=""
"EasyLinkAdvisor"="\"C:\\Program Files\\Linksys EasyLink Advisor\\LinksysAgent.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\pccguide.exe\""
"PCClient.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security\\PCClient.exe\""
"TM Outbreak Agent"="\"C:\\Program Files\\Trend Micro\\Internet Security\\TMOAgent.exe\" /run"
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"DAEMON Tools-1033"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033 -noicon"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{C6E00DDA-FEAF-4D28-ADC4-055240E8F907}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00
"NoActiveDesktop"=dword:00000000
"NoSaveSettings"=dword:00000000
"NoThemesTab"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000
"ClassicShell"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"UPnPMonitor"="{e57ce738-33e8-4c51-8354-bb4de9d215d1}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-08 16:38:17.12
C:\ComboFix.txt ... 06-11-08 16:38
C:\ComboFix2.txt ... 06-11-05 15:11


Logfile of HijackThis v1.99.1
Scan saved at 4:38:59 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
C:\Program Files\Trend Micro\Internet Security\tmproxy.exe
C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Trend Micro\Internet Security\pccguide.exe
C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\YJ Lee\My Documents\Unzipped\anti-adware and spyware\hijackthis\showme.exe

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security\pccguide.exe"
O4 - HKLM\..\Run: [PCClient.exe] "C:\Program Files\Trend Micro\Internet Security\PCClient.exe"
O4 - HKLM\..\Run: [TM Outbreak Agent] "C:\Program Files\Trend Micro\Internet Security\TMOAgent.exe" /run
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [DAEMON Tools-1033] "C:\Program Files\D-Tools\daemon.exe" -lang 1033 -noicon
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
O4 - HKCU\..\Run: [SoniqueQuickStart] C:\Program Files\Sonique\sqstart.exe -nostick
O4 - HKCU\..\Run: [EasyLinkAdvisor] "C:\Program Files\Linksys EasyLink Advisor\LinksysAgent.exe" /startup
O4 - Startup: Drempels Desktop.lnk = C:\WINDOWS\drempels.exe
O4 - Startup: Xfire.lnk = C:\Program Files\Xfire\Xfire.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Trend Micro Personal Firewall (PccPfw) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\PccPfw.exe
O23 - Service: Trend NT Realtime Service (Tmntsrv) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\Tmntsrv.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Incorporated. - C:\Program Files\Trend Micro\Internet Security\tmproxy.exe

Ad-Aware SE Personal
Adobe Acrobat 5.0
Adobe Flash Player 9 ActiveX
Alcohol 120% (Trial Version)
AOL Instant Messenger
Ares 1.8.1
ATI Catalyst Control Center
ATI Display Driver
Azureus
Battlefield 2™
Battlefield 2142 Demo
BSPlayer
Clubbox 파일전송관리자
Combined Community Codec Pack 2005-11-17 (Remove Only)
DAEMON Tools
DHzer0point Catalyst 0.63
Direct Show Ogg Vorbis Filter (remove only)
Drempels (remove only)
ffdshow (remove only)
FHMcom_OxleyStrip Screen Saver
HijackThis 1.99.1
IpWins
IrfanView (remove only)
J2SE Runtime Environment 5.0 Update 9
Kaspersky Online Scanner
Lexmark Z600 Series
Linksys EasyLink Advisor 1.5 (1010)
MAIET Gunz
Matrix-ks
Matroska Pack - Lazy Man's MKV 0.9.6
MediaMonkey 2.4
MediaTickets by OIN
Microsoft .NET Framework 1.1
Microsoft Office PowerPoint Viewer 2003
mIRC
MSI Live Update 3
Nero - Burning Rom
Oblivion
Oblivion - BTmod 2.20
onefineday01
Picasa 2
PowerDVD
QuickTime
RealPlayer Basic
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Sonique
Spybot - Search & Destroy 1.4
Steam
TeamSpeak 2 RC2
Trend Micro Internet Security
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinRAR archiver
WinZip
WordPerfect Office 12
Xfire (remove only)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users