Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Dialer.coh And Lop.as


  • This topic is locked This topic is locked
18 replies to this topic

#1 msg83

msg83

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 04 January 2007 - 11:29 PM

Hi there,

I have been infected with Dialer.COH and LOP.AS for about 2 weeks now and haven't had too much success removing it myself. I am basically recieving constant AVG warnings everytime I am on the net, one pop up in regard to Dialer and the other in regard to LOP. Twice the computer had just restarted on me with no warning.

I have followed the preparation guide for posting and have a HJT log for you.
Any help removing would be so awesome, thanks heaps
Nigel

Logfile of HijackThis v1.99.1
Scan saved at 5:21:28 PM, on 1/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\devldr32.exe
C:\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program

Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot -

Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} -

C:\WINDOWS\system32\xxyyyxv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} -

C:\PROGRA~1\COMMON~1\{3CA90~1\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} -

C:\PROGRA~1\COMMON~1\{3CA90~1\Bar888.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BootSkin Startup Jobs]

"C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe"

/L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"

-osboot
O4 - HKCU\..\Run: [SkypeMate] C:\Program Files\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\PROGRA~1\BITTOR~1\BITTOR~1.EXE" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader

8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} -

%windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 -

{85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) -

http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) -

http://photo.digitalmax.co.nz/en/ImageUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: winsbp32 - C:\WINDOWS\SYSTEM32\winsbp32.dll
O20 - Winlogon Notify: xxyyyxv - C:\WINDOWS\SYSTEM32\xxyyyxv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe

Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. -

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: PCtel speaker phone (pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 AM

Posted 05 January 2007 - 07:21 AM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 05 January 2007 - 05:01 PM

Hi Sam,

Thanks for such a quick reply, it is really appreciated that someone can help so quickly.

Combofix log follows:


Katie and Nigel - 07-01-06 10:51:57.10 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Katie and Nigel\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{3CA90367-0682-1033-0811-030918200001}


((((((((((((((((((((((((((((((( Files Created from 2006-12-06 to 2007-01-06 ))))))))))))))))))))))))))))))))))


2007-01-05 17:17 22,541 ---hs---- C:\WINDOWS\system32\ljjhfgd.dll
2007-01-05 17:16 <DIR> d-------- C:\HijackThis
2007-01-05 16:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-05 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-01-04 16:54 106 --a------ C:\delete.bat
2007-01-04 16:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-03 21:31 <DIR> d-------- C:\Program Files\MagicISO
2007-01-02 22:00 22,541 ---hs---- C:\WINDOWS\system32\xxyyyxv.dll
2007-01-02 22:00 16,896 --a------ C:\WINDOWS\system32\winsbp32.dll
2007-01-02 21:46 <DIR> d-------- C:\Program Files\WinISO
2007-01-02 21:38 68,960 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys
2007-01-02 21:38 39,488 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-01-02 21:38 <DIR> d-------- C:\Program Files\VSO
2007-01-02 15:11 <DIR> d-------- C:\Program Files\7-Zip
2006-12-31 01:10 <DIR> d-------- C:\Program Files\Azureus
2006-12-31 01:10 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Azureus
2006-12-31 01:07 <DIR> d-------- C:\WINDOWS\Sun
2006-12-31 01:07 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Sun
2006-12-29 20:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2006-12-29 20:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0
2006-12-29 20:55 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\SmartFTP
2006-12-29 19:11 <DIR> d-------- C:\Program Files\mIRC
2006-12-23 10:17 <DIR> d-------- C:\Program Files\Common Files\Reallusion
2006-12-22 20:40 <DIR> d-------- C:\Program Files\QuickTime
2006-12-22 20:40 <DIR> d-------- C:\Program Files\iTunes
2006-12-22 20:40 <DIR> d-------- C:\Program Files\iPod
2006-12-22 20:40 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Apple Computer
2006-12-22 20:39 <DIR> d-------- C:\Program Files\Apple Software Update
2006-12-22 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-12-13 21:58 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-13 21:58 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Lavasoft
2006-12-10 01:47 <DIR> d-------- C:\Program Files\eMule
2006-12-10 01:14 512,000 --------- C:\WINDOWS\system32\iClone Screensaver.scr
2006-12-10 01:14 139,264 --a------ C:\WINDOWS\system32\RLContentClass.dll
2006-12-10 01:13 458,752 --a------ C:\WINDOWS\system32\IMagickRT.dll
2006-12-10 01:13 <DIR> d-------- C:\Program Files\Reallusion
2006-12-10 01:11 <DIR> d-------- C:\iclone
2006-12-10 00:34 <DIR> d--h----- C:\DBBackup
2006-12-09 20:17 <DIR> d--h----- C:\WINDOWS\PIF
2006-12-09 19:22 <DIR> d-------- C:\Program Files\MorpheusBar
2006-12-09 19:21 <DIR> d-------- C:\WINDOWS\system32\cache329
2006-12-09 19:20 <DIR> d-------- C:\Program Files\Morpheus
2006-12-09 19:12 <DIR> d-------- C:\WINDOWS\cdmxtras
2006-12-09 19:12 <DIR> d-------- C:\Program Files\Need2Find
2006-12-09 19:07 10 --a------ C:\WINDOWS\smdat32m.sys
2006-12-09 19:05 <DIR> d-------- C:\Program Files\Kazaa
2006-12-09 17:31 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Reallusion
2006-12-08 17:56 <DIR> d-------- C:\Program Files\Common Files\xing shared
2006-12-08 17:55 <DIR> d-------- C:\Program Files\Real
2006-12-08 17:55 <DIR> d-------- C:\Program Files\Common Files\Real
2006-12-08 17:55 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Real
2006-12-08 17:37 <DIR> d-------- C:\My Downloads
2006-12-06 18:14 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\DivX


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-06 10:55 -------- d-------- C:\Program Files\Common Files
2007-01-06 08:51 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\BitTorrent
2007-01-05 23:39 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-05 17:21 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Skype
2007-01-02 22:27 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\AVG7
2006-12-30 23:50 -------- d---s---- C:\Documents and Settings\Katie and Nigel\Application Data\Microsoft
2006-12-23 10:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-20 21:56 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-12-15 03:01 -------- d-------- C:\Program Files\Internet Explorer
2006-12-15 03:00 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 03:00 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 19:53 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-13 19:53 -------- d-------- C:\Program Files\Adobe
2006-12-13 19:53 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Adobe
2006-12-13 07:55 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\LimeWire
2006-12-07 19:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 18:14 -------- d-------- C:\Program Files\DivX
2006-12-06 18:13 -------- d-------- C:\Program Files\Google
2006-12-03 21:43 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-03 21:43 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-03 21:43 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-03 21:43 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-03 21:43 18240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-03 09:54 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\CyberLink
2006-12-03 09:53 -------- d-------- C:\Program Files\CyberLink
2006-12-02 17:59 14 --a------ C:\WINDOWS\system32\systeminfo.dll
2006-12-02 17:59 -------- d-------- C:\Program Files\DVD X Studios
2006-11-26 20:33 -------- d-------- C:\Program Files\Digitalmax
2006-11-26 03:00 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-24 17:48 -------- d-------- C:\Program Files\ImTOO
2006-11-23 20:06 -------- d-------- C:\Program Files\Elaborate Bytes
2006-11-23 16:19 -------- d-------- C:\Program Files\Multi Theft Auto
2006-11-23 15:56 -------- d-------- C:\Program Files\AvRack
2006-11-23 15:31 -------- d-------- C:\Program Files\Audacity
2006-11-23 11:50 -------- d-------- C:\Program Files\ViArt_shop_evaluation
2006-11-23 08:46 -------- d-------- C:\Program Files\Windows Media Player
2006-11-22 21:22 -------- d-------- C:\Program Files\CoffeeCup Software
2006-11-20 20:45 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\ArcSoft
2006-11-20 20:42 -------- d-------- C:\Program Files\Canon
2006-11-20 20:41 -------- d-------- C:\Program Files\ArcSoft
2006-11-19 17:27 -------- d-------- C:\Program Files\D-Link DSLs
2006-11-16 10:01 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-11-16 10:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-16 10:01 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-11-16 10:01 116984 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-11-16 10:01 115960 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-11-16 10:01 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-11-16 09:56 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-11-16 09:56 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-11-16 09:56 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-11-16 09:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-11-16 09:56 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-11-16 09:56 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-11-16 09:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-11-16 09:56 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-11-16 09:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-11-16 09:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-11-16 09:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-11-16 09:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-11-16 09:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-11-16 09:36 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-11-14 20:02 -------- d-------- C:\Program Files\Electronic Arts
2006-11-14 19:57 -------- d-------- C:\Program Files\Maxis
2006-11-13 21:28 -------- d-------- C:\Program Files\BitTorrent
2006-11-10 22:39 -------- d-------- C:\Program Files\Java
2006-11-10 21:59 -------- d-------- C:\Program Files\Common Files\Java
2006-11-08 18:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 13:25 118784 --a------ C:\WINDOWS\dsdxirmv.exe
2006-10-31 22:02 499712 --------- C:\WINDOWS\system32\msvcp71.dll
2006-10-31 22:02 348160 --------- C:\WINDOWS\system32\msvcr71.dll
2006-10-29 02:12 62 --ahs---- C:\Documents and Settings\Katie and Nigel\Application Data\desktop.ini
2006-10-28 13:25 0 -rahs---- C:\MSDOS.SYS
2006-10-28 13:25 0 -rahs---- C:\IO.SYS
2006-10-28 13:25 0 --a------ C:\CONFIG.SYS
2006-10-28 13:25 0 --a------ C:\AUTOEXEC.BAT
2006-10-20 02:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-14 01:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-14 01:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-14 01:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SkypeMate"="C:\\Program Files\\SkypeMate\\SkypeMate.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Power2GoExpress"=""
"BitTorrent"="\"C:\\PROGRA~1\\BITTOR~1\\BITTOR~1.EXE\" --force_start_minimized"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="soundman.exe"
"CountrySelection"="pctptt.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"BootSkin Startup Jobs"="\"C:\\PROGRA~1\\Stardock\\WINCUS~1\\BootSkin\\BootSkin.exe\" /StartupJobs"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"CloneCDElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"CloneCDTray"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\CloneCDTray.exe\""
"snpstd3"="C:\\WINDOWS\\vsnpstd3.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsbp32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyxv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"



~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

backup-20070105-171906-765
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
backup-20070105-171906-164
O20 - Winlogon Notify: WBSrv - C:\PROGRA~1\Stardock\OBJECT~1\WINDOW~1\wbsrv.dll
backup-20070105-171906-467
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
backup-20070105-171906-384
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BitTorrent.job
C:\WINDOWS\tasks\closeme.job
C:\WINDOWS\tasks\LimeWire PRO 4.12.job

Completion time: 07-01-06 10:56:01.35
C:\ComboFix.txt ... 07-01-06 10:56

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 AM

Posted 06 January 2007 - 08:12 AM

Let's get rid of the malware that still shows in that log and then we'll run a few scans to hopefully clean up the rest.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Delete Temp Files
    • Click Tools -> Delete Temp Files
    • Place a check mark in all locations that aren't greyed out. By default they should already be checked.
    • Click Delete Selected Temp Files
  • Once that completes, select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\ljjhfgd.dll
    C:\WINDOWS\system32\xxyyyxv.dll
    C:\WINDOWS\system32\winsbp32.dll
    C:\WINDOWS\smdat32m.sys



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
==============



I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.
=============



Download and scan with the free 15 day trial of Counterspy
Save the report when it's finished:
  • Once Counterspy has done scanning,the 'Scan Results' box will appear.
  • Click on 'View Results'.
  • Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to Remove.
  • Then click on Take Action.
  • Once everything has been removed,click on View Details.
  • Copy and Paste those details into your next reply here.
Also post a new hijackthis log.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 06 January 2007 - 10:00 PM

Hi Sam, As requested here are the 4 log in order of 'killbox' 'Hijackthis Uninstall List' 'Counterspy' and Hijackthis'

Thanks again,
Nigel

Pocket Killbox version 2.0.0.881
Running on Windows XP as Katie and Nigel(Administrator)
was started @ Sunday, January 07, 2007, 2:16 PM

Killbox Closed(Exit) @ 2:16:57 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Katie and Nigel(Administrator)
was started @ Sunday, January 07, 2007, 2:17 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\ljjhfgd.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\xxyyyxv.dll


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\winsbp32.dll


# 4 [Delete on Reboot]
Path = C:\WINDOWS\smdat32m.sys


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:19:23 PM
# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\ljjhfgd.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\xxyyyxv.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\winsbp32.dll


# 8 [Delete on Reboot]
Path = C:\WINDOWS\smdat32m.sys


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 2:19:46 PM
Killbox Closed(Exit) @ 2:19:59 PM
__________________________________________________

Pocket Killbox version 2.0.0.881
Running on Windows XP as Katie and Nigel(Administrator)
was started @ Sunday, January 07, 2007, 2:32 PM

=========================================
UNINSTALL LIST (HIJACKTHIS)

7-Zip 4.42
Ad-Aware SE Personal
Adobe Bridge 1.0
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 8
Adobe Stock Photos 1.0
Apple Software Update
ArcSoft PhotoStudio 5
Audacity 1.2.6
Avance AC'97 Audio
AVG Free Edition
Azureus
BitTorrent 4.22.1
BlindWrite5
BootSkin
Cakewalk VST Adapter 4.4.4.0
Canon CanoScan Toolbox 4.1
Cashbook Complete
CDRWIN
CloneCD
CoffeeCup HTML Editor 2006
CoffeeCup VisualSite Designer
CrazyTalk v4.0 Media Studio
digitalmax online Print Wizard 4.0.4.2
DivX Codec
DivX Content Uploader
DivX Converter
DivX Player
DivX Web Player
D-Link DSLs
DreamStation DXi2
DVD X Player 4.0 Professional
DVD-CLONER V3.40 Build 899
EPSON Printer Software
Genius Scanner
Google SketchUp
Google Toolbar for Firefox
GTA San Andreas
HijackThis 1.99.1
HSP56 MicroModem Drivers
iClone v1.0 Studio
iTunes
J2SE Runtime Environment 5.0 Update 9
Kazaa 3.2.7
LimeWire PRO 4.12.3
Magic ISO Maker v5.3 (build 0229)
Microsoft Office FrontPage 2003
Microsoft Office Professional Edition 2003
mIRC
Mozilla Firefox (1.5.0.9)
Mozilla Thunderbird (1.5)
MSXML 4.0 SP2 (KB927978)
Multi Theft Auto
Native Instruments Guitar Rig v1.1.2
Nero 6 Ultra Edition
Nero Digital
Network Play System (Patching)
PE Builder 3.1.10a
Power2Go 5.0
QuickTime
RealPlayer
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Skype 2.5
SkypeMate
SmartFTP Client 2.0
SmartFTP Client 2.0 Setup Files (remove only)
Sonar Producer Edition v4.0.2
Spybot - Search & Destroy 1.4
StuffIt Standard
The Sims
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VIA Rhine-Family Fast Ethernet Adapter
ViArt Shop Evaluation 2.8
VST Bridge 1.0
WindowBlinds
Windows Installer 3.1 (KB893803)
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinISO 5.3
Wondershare Photo Collage Studio (1.2.5.0)

=============================
COUNTERSPY

Spyware Scan Details
Start Date: 1/7/2007 2:42:16 PM
End Date: 1/7/2007 3:34:53 PM
Total Time: 52 mins 37 secs

Detected spyware

KaZaA P2P more information...
Details: Kazaa is a Peer to Peer file sharing application that uses some adware advertising as well as installs a number of thrid party adware software on your computer.
Status: Deleted

Infected files detected
c:\program files\kazaa\ammp3.dll
c:\program files\kazaa\bdupd.dll
c:\program files\kazaa\ckgfrs.dll
c:\program files\kazaa\kazaa.exe
c:\program files\kazaa\kazaa.url
c:\program files\kazaa\kzscan.dll
c:\program files\kazaa\libcurl.dll
c:\program files\kazaa\libeay32.dll
c:\program files\kazaa\libssl32.dll
c:\program files\kazaa\myshare.ico
c:\program files\kazaa\ssleay32.dll
c:\program files\kazaa\topsearch.dll
c:\program files\kazaa\bgp2p\bdcore.dll
c:\program files\kazaa\bgp2p\bdupd.dll
c:\program files\kazaa\bgp2p\libfn.dll
c:\program files\kazaa\bgp2p\plugins\7zip.xmd
c:\program files\kazaa\bgp2p\plugins\ace.xmd
c:\program files\kazaa\bgp2p\plugins\adsntfs.xmd
c:\program files\kazaa\bgp2p\plugins\alz.xmd
c:\program files\kazaa\bgp2p\plugins\arc.xmd
c:\program files\kazaa\bgp2p\plugins\arj.xmd
c:\program files\kazaa\bgp2p\plugins\bach.xmd
c:\program files\kazaa\bgp2p\plugins\boot.xmd
c:\program files\kazaa\bgp2p\plugins\bzip2.xmd
c:\program files\kazaa\bgp2p\plugins\cab.xmd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.cvd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.ivd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.rvd
c:\program files\kazaa\bgp2p\plugins\cevakrnl.xmd
c:\program files\kazaa\bgp2p\plugins\ceva_dll.cvd
c:\program files\kazaa\bgp2p\plugins\ceva_emu.cvd
c:\program files\kazaa\bgp2p\plugins\ceva_vfs.cvd
c:\program files\kazaa\bgp2p\plugins\chm.xmd
c:\program files\kazaa\bgp2p\plugins\cpio.xmd
c:\program files\kazaa\bgp2p\plugins\cran.cvd
c:\program files\kazaa\bgp2p\plugins\cran.ivd
c:\program files\kazaa\bgp2p\plugins\cran.xmd
c:\program files\kazaa\bgp2p\plugins\dbx.xmd
c:\program files\kazaa\bgp2p\plugins\docfile.xmd
c:\program files\kazaa\bgp2p\plugins\emalware.cvd
c:\program files\kazaa\bgp2p\plugins\emalware.i01
c:\program files\kazaa\bgp2p\plugins\emalware.i02
c:\program files\kazaa\bgp2p\plugins\emalware.i03
c:\program files\kazaa\bgp2p\plugins\emalware.i04
c:\program files\kazaa\bgp2p\plugins\emalware.i05
c:\program files\kazaa\bgp2p\plugins\emalware.i06
c:\program files\kazaa\bgp2p\plugins\emalware.i07
c:\program files\kazaa\bgp2p\plugins\emalware.i08
c:\program files\kazaa\bgp2p\plugins\emalware.i09
c:\program files\kazaa\bgp2p\plugins\emalware.i10
c:\program files\kazaa\bgp2p\plugins\emalware.i11
c:\program files\kazaa\bgp2p\plugins\emalware.i12
c:\program files\kazaa\bgp2p\plugins\emalware.i13
c:\program files\kazaa\bgp2p\plugins\emalware.i14
c:\program files\kazaa\bgp2p\plugins\emalware.i15
c:\program files\kazaa\bgp2p\plugins\emalware.i16
c:\program files\kazaa\bgp2p\plugins\emalware.i17
c:\program files\kazaa\bgp2p\plugins\emalware.i18
c:\program files\kazaa\bgp2p\plugins\emalware.i19
c:\program files\kazaa\bgp2p\plugins\emalware.ivd
c:\program files\kazaa\bgp2p\plugins\emalware.xmd
c:\program files\kazaa\bgp2p\plugins\epoc.xmd
c:\program files\kazaa\bgp2p\plugins\e_spyw.ivd
c:\program files\kazaa\bgp2p\plugins\gzip.xmd
c:\program files\kazaa\bgp2p\plugins\ha.xmd
c:\program files\kazaa\bgp2p\plugins\hlp.xmd
c:\program files\kazaa\bgp2p\plugins\hpe.cvd
c:\program files\kazaa\bgp2p\plugins\hpe.xmd
c:\program files\kazaa\bgp2p\plugins\hqx.xmd
c:\program files\kazaa\bgp2p\plugins\html.xmd
c:\program files\kazaa\bgp2p\plugins\imp.xmd
c:\program files\kazaa\bgp2p\plugins\inno.xmd
c:\program files\kazaa\bgp2p\plugins\instyler.xmd
c:\program files\kazaa\bgp2p\plugins\iso.xmd
c:\program files\kazaa\bgp2p\plugins\java.cvd
c:\program files\kazaa\bgp2p\plugins\java.xmd
c:\program files\kazaa\bgp2p\plugins\jpeg.xmd
c:\program files\kazaa\bgp2p\plugins\lha.xmd
c:\program files\kazaa\bgp2p\plugins\lnk.xmd
c:\program files\kazaa\bgp2p\plugins\mbox.xmd
c:\program files\kazaa\bgp2p\plugins\mbx.xmd
c:\program files\kazaa\bgp2p\plugins\mdx.xmd
c:\program files\kazaa\bgp2p\plugins\mdx_97.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_97.ivd
c:\program files\kazaa\bgp2p\plugins\mdx_w95.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_x95.cvd
c:\program files\kazaa\bgp2p\plugins\mdx_xf.cvd
c:\program files\kazaa\bgp2p\plugins\mime.xmd
c:\program files\kazaa\bgp2p\plugins\mobmalware.cvd
c:\program files\kazaa\bgp2p\plugins\mobmalware.xmd
c:\program files\kazaa\bgp2p\plugins\mso.xmd
c:\program files\kazaa\bgp2p\plugins\na.cvd
c:\program files\kazaa\bgp2p\plugins\na.xmd
c:\program files\kazaa\bgp2p\plugins\nelf.cvd
c:\program files\kazaa\bgp2p\plugins\nelf.xmd
c:\program files\kazaa\bgp2p\plugins\nsis.xmd
c:\program files\kazaa\bgp2p\plugins\objd.xmd
c:\program files\kazaa\bgp2p\plugins\pdf.xmd
c:\program files\kazaa\bgp2p\plugins\pst.xmd
c:\program files\kazaa\bgp2p\plugins\rar.xmd
c:\program files\kazaa\bgp2p\plugins\regscan.cvd
c:\program files\kazaa\bgp2p\plugins\rpm.xmd
c:\program files\kazaa\bgp2p\plugins\rtf.xmd
c:\program files\kazaa\bgp2p\plugins\rup.cvd
c:\program files\kazaa\bgp2p\plugins\rup.xmd
c:\program files\kazaa\bgp2p\plugins\sdx.cvd
c:\program files\kazaa\bgp2p\plugins\sdx.ivd
c:\program files\kazaa\bgp2p\plugins\sdx.xmd
c:\program files\kazaa\bgp2p\plugins\sfx.xmd
c:\program files\kazaa\bgp2p\plugins\swf.xmd
c:\program files\kazaa\bgp2p\plugins\tar.xmd
c:\program files\kazaa\bgp2p\plugins\td0.xmd
c:\program files\kazaa\bgp2p\plugins\thebat.xmd
c:\program files\kazaa\bgp2p\plugins\tnef.xmd
c:\program files\kazaa\bgp2p\plugins\unpack.cvd
c:\program files\kazaa\bgp2p\plugins\unpack.ivd
c:\program files\kazaa\bgp2p\plugins\unpack.xmd
c:\program files\kazaa\bgp2p\plugins\update.txt
c:\program files\kazaa\bgp2p\plugins\uudecode.xmd
c:\program files\kazaa\bgp2p\plugins\ve.cvd
c:\program files\kazaa\bgp2p\plugins\ve.ivd
c:\program files\kazaa\bgp2p\plugins\ve.xmd
c:\program files\kazaa\bgp2p\plugins\vedata.cvd
c:\program files\kazaa\bgp2p\plugins\viza.xmd
c:\program files\kazaa\bgp2p\plugins\wise.xmd
c:\program files\kazaa\bgp2p\plugins\xishield.xmd
c:\program files\kazaa\bgp2p\plugins\z.xmd
c:\program files\kazaa\bgp2p\plugins\zip.xmd
c:\program files\kazaa\bgp2p\plugins\zoo.xmd
c:\program files\kazaa\bgp2p\plugins.htm
c:\program files\kazaa\bgp2p\versions.dat
c:\program files\kazaa\db\config.cab
c:\program files\kazaa\db\ctx4-060630.cab
c:\program files\kazaa\db\d01.cab
c:\program files\kazaa\db\d02.cab
c:\program files\kazaa\db\data1024.dbb
c:\program files\kazaa\db\data256.dbb
c:\program files\kazaa\db\k7tqkgkk_tssv125.dat
c:\program files\kazaa\db\np.tmp
c:\program files\kazaa\db\ova4-060412.cab
c:\program files\kazaa\db\tsi4-060404a.cab
c:\program files\kazaa\db\tsi4-060602b.cab
c:\program files\kazaa\db\tss5.cab
c:\program files\kazaa\help\arrow.gif
c:\program files\kazaa\help\arrow_sml.gif
c:\program files\kazaa\help\background.gif
c:\program files\kazaa\help\h_mykazaa.gif
c:\program files\kazaa\help\h_mymedia.gif
c:\program files\kazaa\help\h_myplaylists.gif
c:\program files\kazaa\help\icon_gold_kap.gif
c:\program files\kazaa\help\mykapsules.gif
c:\program files\kazaa\help\mykapsules.htm
c:\program files\kazaa\help\mykazaa.css
c:\program files\kazaa\help\mykazaa.htm
c:\program files\kazaa\help\mymedia.htm
c:\program files\kazaa\help\myplaylists.htm
c:\program files\kazaa\help\spacer.gif
c:\program files\kazaa\my channels\bin\crazyplaygames.kcd
c:\program files\kazaa\my channels\bin\dating.kcd
c:\program files\kazaa\my channels\bin\emerging_artists.kcd
c:\program files\kazaa\my channels\bin\g_spot.kcd
c:\program files\kazaa\my channels\bin\onelove_browse.kcd
c:\program files\kazaa\my channels\bin\ringtonechannel.kcd
c:\program files\kazaa\my channels\bin\rshiphop.kcd
c:\program files\kazaa\my channels\bin\skilledgames.kcd
c:\program files\kazaa\my channels\images\crazyplaygames.bmp
c:\program files\kazaa\my channels\images\dating.bmp
c:\program files\kazaa\my channels\images\emerging_artists.bmp
c:\program files\kazaa\my channels\images\g_spot.bmp
c:\program files\kazaa\my channels\images\onelove_browse.bmp
c:\program files\kazaa\my channels\images\ringtonechannel.bmp
c:\program files\kazaa\my channels\images\rshiphop_browse.bmp
c:\program files\kazaa\my channels\images\skilledgames.bmp
c:\program files\kazaa\my shared folder\audio - alternative rock.kpl
c:\program files\kazaa\my shared folder\audio - barrington levy.kpl
c:\program files\kazaa\my shared folder\audio - electronica.kpl
c:\program files\kazaa\my shared folder\audio - fine arts militia album.kpl
c:\program files\kazaa\my shared folder\audio - folk.kpl
c:\program files\kazaa\my shared folder\audio - funk.kpl
c:\program files\kazaa\my shared folder\audio - hip hop.kpl
c:\program files\kazaa\my shared folder\audio - jazz.kpl
c:\program files\kazaa\my shared folder\audio - pop rock.kpl
c:\program files\kazaa\my shared folder\audio - public enemy revolverlution album.kpl
c:\program files\kazaa\my shared folder\audio - r&b.kpl
c:\program files\kazaa\my shared folder\audio - reggae.kpl
c:\program files\kazaa\my shared folder\audio - the honey palace album.kpl
c:\program files\kazaa\my shared folder\kazaa327_en.exe
c:\program files\kazaa\promotions\play poker now.ico
c:\program files\kazaa\promotions\play poker now.url
c:\program files\kazaa\promotions\your free casino chips.ico
c:\program files\kazaa\promotions\your free casino chips.url
c:\program files\kazaa\skins\black glass\license.txt
c:\program files\kazaa\skins\black glass\mainbar_mykazaa.bmp
c:\program files\kazaa\skins\black glass\mainbar_mykazaa_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_mykazaa_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_mykazaa_sel.bmp
c:\program files\kazaa\skins\black glass\mainbar_peer.bmp
c:\program files\kazaa\skins\black glass\mainbar_peer_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_peer_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_peer_sel.bmp
c:\program files\kazaa\skins\black glass\mainbar_search.bmp
c:\program files\kazaa\skins\black glass\mainbar_search_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_search_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_search_sel.bmp
c:\program files\kazaa\skins\black glass\mainbar_shop.bmp
c:\program files\kazaa\skins\black glass\mainbar_shop_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_shop_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_shop_sel.bmp
c:\program files\kazaa\skins\black glass\mainbar_start.bmp
c:\program files\kazaa\skins\black glass\mainbar_start_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_start_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_start_sel.bmp
c:\program files\kazaa\skins\black glass\mainbar_tell.bmp
c:\program files\kazaa\skins\black glass\mainbar_tell_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_tell_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_tell_sel.bmp
c:\program files\kazaa\skins\black glass\mainbar_theatre.bmp
c:\program files\kazaa\skins\black glass\mainbar_theatre_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_theatre_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_theatre_sel.bmp
c:\program files\kazaa\skins\black glass\mainbar_traffic.bmp
c:\program files\kazaa\skins\black glass\mainbar_traffic_dis.bmp
c:\program files\kazaa\skins\black glass\mainbar_traffic_over.bmp
c:\program files\kazaa\skins\black glass\mainbar_traffic_sel.bmp
c:\program files\kazaa\skins\black glass\mediabar_addtoplay.bmp
c:\program files\kazaa\skins\black glass\mediabar_addtoplay_dis.bmp
c:\program files\kazaa\skins\black glass\mediabar_addtoplay_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_addtoplay_sel.bmp
c:\program files\kazaa\skins\black glass\mediabar_next.bmp
c:\program files\kazaa\skins\black glass\mediabar_next_dis.bmp
c:\program files\kazaa\skins\black glass\mediabar_next_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_next_sel.bmp
c:\program files\kazaa\skins\black glass\mediabar_pause.bmp
c:\program files\kazaa\skins\black glass\mediabar_pause_dis.bmp
c:\program files\kazaa\skins\black glass\mediabar_pause_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_pause_sel.bmp
c:\program files\kazaa\skins\black glass\mediabar_play.bmp
c:\program files\kazaa\skins\black glass\mediabar_play_dis.bmp
c:\program files\kazaa\skins\black glass\mediabar_play_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_play_sel.bmp
c:\program files\kazaa\skins\black glass\mediabar_prev.bmp
c:\program files\kazaa\skins\black glass\mediabar_prev_dis.bmp
c:\program files\kazaa\skins\black glass\mediabar_prev_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_prev_sel.bmp
c:\program files\kazaa\skins\black glass\mediabar_slider.bmp
c:\program files\kazaa\skins\black glass\mediabar_sliderthumb.bmp
c:\program files\kazaa\skins\black glass\mediabar_sliderthumb_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_stop.bmp
c:\program files\kazaa\skins\black glass\mediabar_stop_dis.bmp
c:\program files\kazaa\skins\black glass\mediabar_stop_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_stop_sel.bmp
c:\program files\kazaa\skins\black glass\mediabar_volume.bmp
c:\program files\kazaa\skins\black glass\mediabar_volume_dis.bmp
c:\program files\kazaa\skins\black glass\mediabar_volume_over.bmp
c:\program files\kazaa\skins\black glass\mediabar_volume_sel.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_delete.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_delete_dis.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_delete_over.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_delete_sel.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_folders.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_folders_dis.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_folders_over.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_folders_sel.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_moreinfo.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_moreinfo_dis.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_moreinfo_over.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_moreinfo_sel.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_share.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_share_dis.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_share_over.bmp
c:\program files\kazaa\skins\black glass\mykazaabar_share_sel.bmp
c:\program files\kazaa\skins\black glass\searchbar_closetabs.bmp
c:\program files\kazaa\skins\black glass\searchbar_closetabs_dis.bmp
c:\program files\kazaa\skins\black glass\searchbar_closetabs_over.bmp
c:\program files\kazaa\skins\black glass\searchbar_closetabs_sel.bmp
c:\program files\kazaa\skins\black glass\searchbar_download.bmp
c:\program files\kazaa\skins\black glass\searchbar_download_dis.bmp
c:\program files\kazaa\skins\black glass\searchbar_download_over.bmp
c:\program files\kazaa\skins\black glass\searchbar_download_sel.bmp
c:\program files\kazaa\skins\black glass\searchbar_messageuser.bmp
c:\program files\kazaa\skins\black glass\searchbar_messageuser_dis.bmp
c:\program files\kazaa\skins\black glass\searchbar_messageuser_over.bmp
c:\program files\kazaa\skins\black glass\searchbar_messageuser_sel.bmp
c:\program files\kazaa\skins\black glass\searchbar_newsearch.bmp
c:\program files\kazaa\skins\black glass\searchbar_newsearch_dis.bmp
c:\program files\kazaa\skins\black glass\searchbar_newsearch_over.bmp
c:\program files\kazaa\skins\black glass\searchbar_newsearch_sel.bmp
c:\program files\kazaa\skins\black glass\searchbar_searchuser.bmp
c:\program files\kazaa\skins\black glass\searchbar_searchuser_dis.bmp
c:\program files\kazaa\skins\black glass\searchbar_searchuser_over.bmp
c:\program files\kazaa\skins\black glass\searchbar_searchuser_sel.bmp
c:\program files\kazaa\skins\black glass\searchbar_showsearch.bmp
c:\program files\kazaa\skins\black glass\searchbar_showsearch_dis.bmp
c:\program files\kazaa\skins\black glass\searchbar_showsearch_over.bmp
c:\program files\kazaa\skins\black glass\searchbar_showsearch_sel.bmp
c:\program files\kazaa\skins\black glass\skin.xml
c:\program files\kazaa\skins\black glass\startbar_back.bmp
c:\program files\kazaa\skins\black glass\startbar_back_dis.bmp
c:\program files\kazaa\skins\black glass\startbar_back_over.bmp
c:\program files\kazaa\skins\black glass\startbar_back_sel.bmp
c:\program files\kazaa\skins\black glass\startbar_fwd.bmp
c:\program files\kazaa\skins\black glass\startbar_fwd_dis.bmp
c:\program files\kazaa\skins\black glass\startbar_fwd_over.bmp
c:\program files\kazaa\skins\black glass\startbar_fwd_sel.bmp
c:\program files\kazaa\skins\black glass\startbar_home.bmp
c:\program files\kazaa\skins\black glass\startbar_home_dis.bmp
c:\program files\kazaa\skins\black glass\startbar_home_over.bmp
c:\program files\kazaa\skins\black glass\startbar_home_sel.bmp
c:\program files\kazaa\skins\black glass\startbar_refresh.bmp
c:\program files\kazaa\skins\black glass\startbar_refresh_dis.bmp
c:\program files\kazaa\skins\black glass\startbar_refresh_over.bmp
c:\program files\kazaa\skins\black glass\startbar_refresh_sel.bmp
c:\program files\kazaa\skins\black glass\startbar_stop.bmp
c:\program files\kazaa\skins\black glass\startbar_stop_dis.bmp
c:\program files\kazaa\skins\black glass\startbar_stop_over.bmp
c:\program files\kazaa\skins\black glass\startbar_stop_sel.bmp
c:\program files\kazaa\skins\black glass\theatrebar_fullscreen.bmp
c:\program files\kazaa\skins\black glass\theatrebar_fullscreen_dis.bmp
c:\program files\kazaa\skins\black glass\theatrebar_fullscreen_over.bmp
c:\program files\kazaa\skins\black glass\theatrebar_fullscreen_sel.bmp
c:\program files\kazaa\skins\black glass\trafficbar_cancel.bmp
c:\program files\kazaa\skins\black glass\trafficbar_cancel_dis.bmp
c:\program files\kazaa\skins\black glass\trafficbar_cancel_over.bmp
c:\program files\kazaa\skins\black glass\trafficbar_cancel_sel.bmp
c:\program files\kazaa\skins\black glass\trafficbar_pause.bmp
c:\program files\kazaa\skins\black glass\trafficbar_pause_dis.bmp
c:\program files\kazaa\skins\black glass\trafficbar_pause_over.bmp
c:\program files\kazaa\skins\black glass\trafficbar_pause_sel.bmp
c:\program files\kazaa\skins\black glass\trafficbar_resume.bmp
c:\program files\kazaa\skins\black glass\trafficbar_resume_dis.bmp
c:\program files\kazaa\skins\black glass\trafficbar_resume_over.bmp
c:\program files\kazaa\skins\black glass\trafficbar_resume_sel.bmp
c:\program files\kazaa\skins\black glass\windowbar_close.bmp
c:\program files\kazaa\skins\black glass\windowbar_close_dis.bmp
c:\program files\kazaa\skins\black glass\windowbar_close_over.bmp
c:\program files\kazaa\skins\black glass\windowbar_close_sel.bmp
c:\program files\kazaa\skins\black glass\windowbar_maximise.bmp
c:\program files\kazaa\skins\black glass\windowbar_maximise_dis.bmp
c:\program files\kazaa\skins\black glass\windowbar_maximise_over.bmp
c:\program files\kazaa\skins\black glass\windowbar_maximise_sel.bmp
c:\program files\kazaa\skins\black glass\windowbar_minimise.bmp
c:\program files\kazaa\skins\black glass\windowbar_minimise_dis.bmp
c:\program files\kazaa\skins\black glass\windowbar_minimise_over.bmp
c:\program files\kazaa\skins\black glass\windowbar_minimise_sel.bmp
c:\program files\kazaa\skins\black glass\windowbar_restore.bmp
c:\program files\kazaa\skins\black glass\windowbar_restore_dis.bmp
c:\program files\kazaa\skins\black glass\windowbar_restore_over.bmp
c:\program files\kazaa\skins\black glass\windowbar_restore_sel.bmp
c:\program files\kazaa\skins\black glass\window_btm.bmp
c:\program files\kazaa\skins\black glass\window_btmleft.bmp
c:\program files\kazaa\skins\black glass\window_btmright.bmp
c:\program files\kazaa\skins\black glass\window_left.bmp
c:\program files\kazaa\skins\black glass\window_right.bmp
c:\program files\kazaa\skins\black glass\window_top.bmp
c:\program files\kazaa\skins\black glass\window_topleft.bmp
c:\program files\kazaa\skins\black glass\window_topright.bmp

Infected registry entries detected
HKEY_CURRENT_USER\Software\Kazaa\Advanced
HKEY_CURRENT_USER\Software\Kazaa\Advanced ScanFolder 1
HKEY_CURRENT_USER\Software\Kazaa\Advanced Status Installed
HKEY_CURRENT_USER\Software\Kazaa\Advanced ScWeeklyDate 9-12-2006
HKEY_CURRENT_USER\software\kazaa
HKEY_CURRENT_USER\software\kazaa\Advanced ScanFolder 1
HKEY_CURRENT_USER\software\kazaa\Advanced Status Installed
HKEY_CURRENT_USER\software\kazaa\Advanced ScWeeklyDate 9-12-2006
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES ChannelFile crazyplaygames.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES DisplayName Crazy Play Games
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES IconFile crazyplaygames.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES IconPath /us/crazyplaygames/
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES IconServer ssm.kazaa.com
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES Position 1
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES Source Crazy Play
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES TargetUrl http://ssm.kazaa.com/us/crazyplaygames/index.htm
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\CRAZYPLAYGAMES Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\DATING ChannelType SEARCH
HKEY_CURRENT_USER\software\kazaa\Channels\DATING Source Matchnet
HKEY_CURRENT_USER\software\kazaa\Channels\DATING DisplayName Love and Dating
HKEY_CURRENT_USER\software\kazaa\Channels\DATING SsmUrl http://static.matchnet.com/misc/kazaa/search2.html
HKEY_CURRENT_USER\software\kazaa\Channels\DATING TargetUrl http://www.americansingles.com/default.asp
HKEY_CURRENT_USER\software\kazaa\Channels\DATING ChannelFile dating.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\DATING IconServer
HKEY_CURRENT_USER\software\kazaa\Channels\DATING IconPath
HKEY_CURRENT_USER\software\kazaa\Channels\DATING IconFile
HKEY_CURRENT_USER\software\kazaa\Channels\DATING Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\DATING Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\DATING Position 3
HKEY_CURRENT_USER\software\kazaa\Channels\DATING NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\DATING Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE Source Matchnet
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE DisplayName Love and Dating
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE TargetUrl http://static.matchnet.com/misc/kazaa/splash.html
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE ChannelFile dating.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE IconServer static.matchnet.com
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE IconPath /misc/kazaa/images/
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE IconFile dating.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE Position 6
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\DATING_BROWSE Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE Source Altnet
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE DisplayName Emerging Artists
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE TargetUrl http://www.altnet.com/channels/emerging_artists/index.htm
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE ChannelFile emerging_artists.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE IconServer www.altnet.com
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE IconPath /channels/emerging_artists/
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE IconFile emerging_artists.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE Position 7
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\EMERGING_ARTISTS_BROWSE Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE Source Altnet
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE DisplayName G-Spot
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE TargetUrl http://www.altnet.com/channels/g-spot/index.htm
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE ChannelFile g_spot.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE IconServer www.altnet.com
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE IconPath /channels/g-spot/
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE IconFile g_spot.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE Position 3
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\G_SPOT_BROWSE Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE Source Altnet
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE DisplayName One Love
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE TargetUrl http://www.altnet.com/channels/onelove/onelove.htm
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE ChannelFile onelove_browse.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE IconServer www.altnet.com
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE IconPath /channels/onelove/
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE IconFile onelove_browse.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE Position 4
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\ONELOVE_BROWSE Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\P2P ChannelType SEARCH
HKEY_CURRENT_USER\software\kazaa\Channels\P2P Source Sharman Networks
HKEY_CURRENT_USER\software\kazaa\Channels\P2P DisplayName P2P Search
HKEY_CURRENT_USER\software\kazaa\Channels\P2P SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\P2P TargetUrl
HKEY_CURRENT_USER\software\kazaa\Channels\P2P ChannelFile
HKEY_CURRENT_USER\software\kazaa\Channels\P2P IconServer
HKEY_CURRENT_USER\software\kazaa\Channels\P2P IconPath
HKEY_CURRENT_USER\software\kazaa\Channels\P2P IconFile
HKEY_CURRENT_USER\software\kazaa\Channels\P2P Mandatory 1
HKEY_CURRENT_USER\software\kazaa\Channels\P2P Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\P2P Position 0
HKEY_CURRENT_USER\software\kazaa\Channels\P2P NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\P2P Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE Source Ringtone Channel
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE DisplayName Ringtone Channel
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE TargetUrl http://www.ringtonechannel.com
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE ChannelFile ringtonechannel.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE IconServer www.ringtonechannel.com
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE IconPath /images/
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE IconFile ringtonechannel.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE Position 5
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_BROWSE Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH ChannelType SEARCH
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH Source Ringtone Channel
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH DisplayName Ringtone Channel
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH SsmUrl http://www.ringtonechannel.com/kmd/search.php
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH TargetUrl http://www.ringtonechannel.com/kmd/search_type.php
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH ChannelFile ringtonechannel.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH IconServer
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH IconPath
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH IconFile
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH Position 4
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\RINGTONECHANNEL_SEARCH Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE Source Altnet
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE DisplayName Hip Hop
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE TargetUrl http://www.altnet.com/channels/hiphop/hiphop.htm
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE ChannelFile rshiphop.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE IconServer www.altnet.com
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE IconPath /channels/hiphop/
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE IconFile rshiphop_browse.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE Position 2
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\RSHIPHOP_BROWSE Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES ChannelType BROWSE
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES Source eUniverse
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES DisplayName Skilled Gaming
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES SsmUrl
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES TargetUrl http://ssm.kazaa.com/us/skilledgames/channel.html
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES ChannelFile skilledgames.kcd
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES IconServer ssm.kazaa.com
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES IconPath /us/skilledgames/
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES IconFile skilledgames.bmp
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES Mandatory 0
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES Position 0
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\SKILLEDGAMES Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE ChannelFile
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE ChannelType SEARCH
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE DisplayName Skype Contacts
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE IconFile
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE IconPath
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE IconServer
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE Mandatory 1
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE Position 1
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE Source Sharman Networks
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE SsmUrl http://www.skype.com
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE TargetUrl http://www.skype.com
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\Channels\SKYPE Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH ChannelType SEARCH
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH Source Sharman Networks
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH DisplayName Web Search
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH SsmUrl http://ssm.kazaa.com/kmd/us/websearch/search.htm
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH TargetUrl http://search.kazaa.com/kmd/us/search.php
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH ChannelFile
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH IconServer
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH IconPath
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH IconFile
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH Mandatory 1
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH Visible 1
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH Position 2
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH NotAdded 0
HKEY_CURRENT_USER\software\kazaa\Channels\WEBSEARCH Uninstalled 0
HKEY_CURRENT_USER\software\kazaa\DontShow CloseToSystray 1
HKEY_CURRENT_USER\software\kazaa\InstantMessaging IgnoreAll 1
HKEY_CURRENT_USER\software\kazaa\Kazaa\MyKazaaStates My Media 1
HKEY_CURRENT_USER\software\kazaa\Kazaa\MyKazaaStates My Kapsules 0
HKEY_CURRENT_USER\software\kazaa\Kazaa\MyKazaaStates My Playlists 1
HKEY_CURRENT_USER\software\kazaa\Kazaa\Settings WindowPos 0,3,-1,-1,-1,-1,66,87,834,617
HKEY_CURRENT_USER\software\kazaa\Kazaa\Settings SACol1 75
HKEY_CURRENT_USER\software\kazaa\Kazaa\Settings SACol2 50
HKEY_CURRENT_USER\software\kazaa\Kazaa\Settings SACol3 125
HKEY_CURRENT_USER\software\kazaa\LocalContent ChannelsDir C:\Program Files\Kazaa\My Channels
HKEY_CURRENT_USER\software\kazaa\LocalContent SearchAgents C:\Program Files\Kazaa\My Search Agents
HKEY_CURRENT_USER\software\kazaa\LocalContent DisableListFiles 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 DAPStart 1165645287
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 StartHour 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 EndHour 1439
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 ShowBann 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 PrCode 11628
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 ExpsNum 40
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 ExpsCnt 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 ExpsLast 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 BannNum 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 BannCnt 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 FileTerm htm
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 OrigFileTerm htm
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 StartDate 1123477224
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 EndDate 1165990884
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 DAPUrl Nothing
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 Url Nothing
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 ConfStr ???
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 BannUrl http://jcontent.bns1.net/bns/new/a_106800.htm
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 Type 12
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 CycleInter 2
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 RndStr 14795702
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 RefClickCnt 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 RefExpsCnt 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 ExpsMSecCnt 4096
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0\Seqn_1068 ActvMSecCnt 4096
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 SeqnList
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 SeqnNum 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0\Level_0 MinCycle 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0 DeftExpsLen 100
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_0 Passive 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 DAPStart 1165645289
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 StartHour 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 EndHour 1439
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 ShowBann 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 PrCode 9061
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 ExpsNum 40
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 ExpsCnt 5
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 ExpsLast 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 BannNum 1
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 BannCnt 0
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 FileTerm gif
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 OrigFileTerm gif
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\Loct_1\Level_0\Seqn_4492 StartDate 1116997224
HKEY_CURRENT_USER\software\kazaa\Promotions\Cydoor\Adwr_329\L

#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 AM

Posted 07 January 2007 - 03:43 PM

That log was too large and ran over. I don't necessarily need to see the rest of it, but I do need to see a new hijackthis log. :thumbsup:
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 08 January 2007 - 01:55 AM

Ah, my apologies, I probably should have checked that.

Here is the HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 3:52:20 PM, on 1/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\SkypeMate\SkypeMate.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunServer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} - C:\WINDOWS\system32\xxyyyxv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CA90~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CA90~1\Bar888.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [SkypeMate] C:\Program Files\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\PROGRA~1\BITTOR~1\BITTOR~1.EXE" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [CounterSpyCleaner] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunASCleaner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photo.digitalmax.co.nz/en/ImageUploader4.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winsbp32 - C:\WINDOWS\SYSTEM32\winsbp32.dll
O20 - Winlogon Notify: xxyyyxv - C:\WINDOWS\SYSTEM32\xxyyyxv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCtel speaker phone (pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#8 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 AM

Posted 09 January 2007 - 04:12 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} - C:\WINDOWS\system32\xxyyyxv.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CA90~1\Bar888.dll (file missing)
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3CA90~1\Bar888.dll (file missing)
O16 - DPF: {1D6711C8-7154-40BB-8380-3DEA45B69CBF} -
O20 - Winlogon Notify: winsbp32 - C:\WINDOWS\SYSTEM32\winsbp32.dll
O20 - Winlogon Notify: xxyyyxv - C:\WINDOWS\SYSTEM32\xxyyyxv.dll



Delete these files with Killbox.

C:\WINDOWS\SYSTEM32\winsbp32.dll
C:\WINDOWS\SYSTEM32\xxyyyxv.dll




Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#9 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 10 January 2007 - 01:04 AM

Hi Sam, I ave completed both of those requests, but I notice that when I use killbox to delete C:\WINDOWS\SYSTEM32\winsbp32.dll & C:\WINDOWS\SYSTEM32\xxyyyxv.dll
they appear again in the HJT scan.

Anyway, here are the two scans



Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\xxyyyxv.dll
Adware:Adware/Maxifiles Not disinfected C:\WINDOWS\system32\winsbp32.dll
Adware:adware/cydoor Not disinfected c:\windows\cdmxtras
Potentially unwanted tool:application/altnet Not disinfected hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\AltnetDM
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\winsbp32.dll
Adware:Adware/Maxifiles Not disinfected C:\!KillBox\winsbp32.dll( 2)
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\xxyyyxv.dll
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\xxyyyxv.dll( 1)
Spyware:Spyware/Virtumonde Not disinfected C:\!KillBox\xxyyyxv.dll( 3)
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Katie and Nigel\Cookies\katie and nigel@atdmt[2].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Katie and Nigel\Cookies\katie and nigel@com[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Katie and Nigel\Cookies\katie and nigel@doubleclick[1].txt
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Katie and Nigel\Cookies\katie and nigel@mediaplex[1].txt
Spyware:Spyware/Virtumonde Not disinfected C:\HijackThis\backups\backup-20070110-164507-789.dll
Spyware:Spyware/Virtumonde Not disinfected C:\HijackThis\backups\backup-20070110-164608-718.dll
Spyware:Spyware/Virtumonde Not disinfected C:\HijackThis\backups\backup-20070110-164800-265.dll
Spyware:Cookie/YieldManager Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@ad.yieldmanager[1].txt
Spyware:Cookie/Belnk Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@belnk[1].txt
Spyware:Cookie/BurstNet Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@burstnet[1].txt
Spyware:Cookie/Com.com Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@com[1].txt
Spyware:Cookie/Belnk Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@dist.belnk[2].txt
Spyware:Cookie/Go Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@go[2].txt
Spyware:Cookie/Itrack Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@ilead.itrack[1].txt
Spyware:Cookie/Toplist Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@toplist[1].txt
Spyware:Cookie/Xiti Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@xiti[1].txt
Spyware:Cookie/Yadro Not disinfected C:\old hdd\Documents and Settings\katieandnigel\Cookies\katieandnigel@yadro[1].txt
Potentially unwanted tool:Application/Need2Find Not disinfected C:\Program Files\Mozilla Firefox\plugins\NPNd2fn.dll


Logfile of HijackThis v1.99.1
Scan saved at 7:03:27 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\pctspk.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.nz/
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9} - C:\WINDOWS\system32\xxyyyxv.dll
O4 - HKLM\..\Run: [SoundMan] soundman.exe
O4 - HKLM\..\Run: [CountrySelection] pctptt.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [BootSkin Startup Jobs] "C:\PROGRA~1\Stardock\WINCUS~1\BootSkin\BootSkin.exe" /StartupJobs
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [CloneCDElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\Elaborate Bytes\CloneCD\CloneCDTray.exe"
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [SkypeMate] C:\Program Files\SkypeMate\SkypeMate.exe
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [BitTorrent] "C:\PROGRA~1\BITTOR~1\BITTOR~1.EXE" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E5E167B-1566-4316-B27F-0DDAB3484CF7} (Image Uploader Control) - http://photo.digitalmax.co.nz/en/ImageUploader4.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: winsbp32 - C:\WINDOWS\SYSTEM32\winsbp32.dll
O20 - Winlogon Notify: xxyyyxv - C:\WINDOWS\SYSTEM32\xxyyyxv.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: PCtel speaker phone (pctspk) - PCtel, Inc. - C:\WINDOWS\system32\pctspk.exe

#10 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 11 January 2007 - 04:01 AM

Ok, just a small update on something I have noticed. When I open Windows Task Manager I can see a bunch of running processes which appear pretty abnormal, ie;

iddF1E.tmp.exe
iddF0E.tmp.exe
iddF14.tmp.exe
winF04.tmp.exe

I'm not sure if this helps at all.

Thanks again

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 AM

Posted 11 January 2007 - 07:43 AM

I should say that it abnormal. I would like to have you run this virus scan for me.

Please run the F-Secure Online Scanner

Note: This Scanner is for Internet Explorer Only!
  • Follow the Instruction on the F-Secure page for proper installation.
  • Accept the License Agreement.
  • Once the ActiveX installs,Click Full System Scan
  • Once the download completes,the scan will begin automatically.
  • The scan will take some time to finish,so please be patient.
  • When the scan completes, click the Automatic cleaning (recommended) button.
  • Click the Show Report button and Copy&Paste the entire report in your next reply.
And also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 12 January 2007 - 02:29 AM

Scanning Report
Friday, January 12, 2007 17:01:32 - 20:24:49
Computer name: HOMEPC
Scanning type: Scan system for viruses, rootkits, spyware
Target: C:\


--------------------------------------------------------------------------------

Result: 21 malware found
Packed.Win32.Klone.g (virus)
C:\WINDOWS\TEMP\WINED2.TMP.EXE (Submitted)
C:\WINDOWS\TEMP\WINF04.TMP.EXE (Submitted)
C:\WINDOWS\TEMP\WINF1E.TMP.EXE (Submitted)
C:\WINDOWS\TEMP\WINF20.TMP.EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\KATIE AND NIGEL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GXQZOTM7\SRVMNV[1].EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\KATIE AND NIGEL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\GXQZOTM7\SRVRJP[1].EXE (Submitted)
C:\DOCUMENTS AND SETTINGS\KATIE AND NIGEL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\4TIJGLUJ\SRVBTS[1].EXE (Submitted)
Packed.Win32.Klone.t (virus)
C:\WINDOWS\SYSTEM32\WINSBP32.DLL (Submitted)
C:\!KILLBOX\WINSBP32.DLL (Submitted)
Tracking Cookie (spyware)
System (Disinfected)
System
System
System
System
System
System
System (Submitted)
System
System
W32/Banker.WXR (virus)
C:\DOWNLOADS\FIRST INSTALL SOFTWARE\CYBERLINK POWER2GO\POWER2GO.EXE (Submitted)
W32/DLoader.LR (virus)
C:\DOWNLOADS\WEBCAMERA_V1.2\MULTIDRIVERS\INF.EXE

--------------------------------------------------------------------------------

Statistics
Scanned:
Files: 57185
System: 4369
Not scanned: 4
Actions:
Disinfected: 1
Renamed: 0
Deleted: 0
None: 20
Submitted: 11
Files not scanned:
C:\HIBERFIL.SYS
C:\PAGEFILE.SYS
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT
C:\DOCUMENTS AND SETTINGS\KATIE AND NIGEL\LOCAL SETTINGS\TEMPORARY INTERNET FILES\CONTENT.IE5\0H2ZG9QJ\LO1[1]

#13 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 12 January 2007 - 02:34 AM

Katie and Nigel - 07-01-12 20:29:29.42 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Katie and Nigel\Desktop\Malware Fix"

((((((((((((((((((((((((((((((( Files Created from 2006-12-12 to 2007-01-12 ))))))))))))))))))))))))))))))))))


2007-01-12 20:28 277,044 --a------ C:\WINDOWS\system32\hgghf.dll
2007-01-12 20:28 277,044 --a------ C:\WINDOWS\system32\geecd.dll
2007-01-12 20:27 277,044 --a------ C:\WINDOWS\system32\yabcy.dll
2007-01-11 22:01 <DIR> d-------- C:\WINDOWS\pss
2007-01-10 16:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-07 14:35 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-07 14:35 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-01-07 14:16 <DIR> d-------- C:\!KillBox
2007-01-07 13:34 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-01-07 13:33 <DIR> d-------- C:\Program Files\CDRWIN
2007-01-05 17:17 22,541 --------- C:\WINDOWS\system32\ljjhfgd.dll
2007-01-05 17:16 <DIR> d-------- C:\HijackThis
2007-01-05 16:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-05 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-01-04 16:54 106 --a------ C:\delete.bat
2007-01-04 16:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-03 21:31 <DIR> d-------- C:\Program Files\MagicISO
2007-01-02 22:00 22,541 --------- C:\WINDOWS\system32\xxyyyxv.dll
2007-01-02 22:00 16,896 --------- C:\WINDOWS\system32\winsbp32.dll
2007-01-02 21:46 <DIR> d-------- C:\Program Files\WinISO
2007-01-02 21:38 68,960 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys
2007-01-02 21:38 39,488 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-01-02 21:38 <DIR> d-------- C:\Program Files\VSO
2007-01-02 15:11 <DIR> d-------- C:\Program Files\7-Zip
2006-12-31 01:10 <DIR> d-------- C:\Program Files\Azureus
2006-12-31 01:10 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Azureus
2006-12-31 01:07 <DIR> d-------- C:\WINDOWS\Sun
2006-12-31 01:07 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Sun
2006-12-29 20:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2006-12-29 20:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0
2006-12-29 20:55 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\SmartFTP
2006-12-29 19:11 <DIR> d-------- C:\Program Files\mIRC
2006-12-23 10:17 <DIR> d-------- C:\Program Files\Common Files\Reallusion
2006-12-22 20:40 <DIR> d-------- C:\Program Files\QuickTime
2006-12-22 20:40 <DIR> d-------- C:\Program Files\iTunes
2006-12-22 20:40 <DIR> d-------- C:\Program Files\iPod
2006-12-22 20:40 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Apple Computer
2006-12-22 20:39 <DIR> d-------- C:\Program Files\Apple Software Update
2006-12-22 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-12-13 21:58 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-13 21:58 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Lavasoft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-12 16:22 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-12 16:14 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Skype
2007-01-11 19:38 -------- d-------- C:\Program Files\Mozilla Thunderbird
2007-01-10 19:56 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\AVG7
2007-01-10 18:25 -------- d-------- C:\Program Files\ScannerU
2007-01-10 18:20 -------- d-------- C:\Program Files\Internet Explorer
2007-01-10 17:22 -------- d-------- C:\Program Files\Windows Media Player
2007-01-08 12:56 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\BitTorrent
2007-01-06 10:55 -------- d-------- C:\Program Files\Common Files
2006-12-30 23:50 -------- d---s---- C:\Documents and Settings\Katie and Nigel\Application Data\Microsoft
2006-12-23 10:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-23 10:17 -------- d-------- C:\Program Files\Reallusion
2006-12-15 03:07 -------- d-------- C:\Program Files\Morpheus
2006-12-15 03:00 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 03:00 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 19:53 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-13 19:53 -------- d-------- C:\Program Files\Adobe
2006-12-13 19:53 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Adobe
2006-12-13 07:55 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\LimeWire
2006-12-10 11:56 -------- d-------- C:\Program Files\eMule
2006-12-09 19:22 -------- d-------- C:\Program Files\MorpheusBar
2006-12-09 17:31 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Reallusion
2006-12-08 17:57 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Real
2006-12-08 17:56 -------- d-------- C:\Program Files\Common Files\xing shared
2006-12-08 17:56 -------- d-------- C:\Program Files\Common Files\Real
2006-12-08 17:55 -------- d-------- C:\Program Files\Real
2006-12-07 20:18 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\DivX
2006-12-07 19:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 18:14 -------- d-------- C:\Program Files\DivX
2006-12-06 18:13 -------- d-------- C:\Program Files\Google
2006-12-03 21:43 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-03 21:43 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-03 21:43 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-03 21:43 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-03 21:43 18240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-03 09:54 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\CyberLink
2006-12-03 09:53 -------- d-------- C:\Program Files\CyberLink
2006-12-02 17:59 14 --a------ C:\WINDOWS\system32\systeminfo.dll
2006-12-02 17:59 -------- d-------- C:\Program Files\DVD X Studios
2006-11-26 20:33 -------- d-------- C:\Program Files\Digitalmax
2006-11-26 03:00 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-24 17:48 -------- d-------- C:\Program Files\ImTOO
2006-11-23 20:06 -------- d-------- C:\Program Files\Elaborate Bytes
2006-11-23 16:19 -------- d-------- C:\Program Files\Multi Theft Auto
2006-11-23 15:56 -------- d-------- C:\Program Files\AvRack
2006-11-23 15:31 -------- d-------- C:\Program Files\Audacity
2006-11-23 11:50 -------- d-------- C:\Program Files\ViArt_shop_evaluation
2006-11-22 21:22 -------- d-------- C:\Program Files\CoffeeCup Software
2006-11-20 20:45 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\ArcSoft
2006-11-20 20:42 -------- d-------- C:\Program Files\Canon
2006-11-20 20:41 -------- d-------- C:\Program Files\ArcSoft
2006-11-19 17:27 -------- d-------- C:\Program Files\D-Link DSLs
2006-11-16 10:01 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-11-16 10:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-16 10:01 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-11-16 10:01 116984 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-11-16 10:01 115960 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-11-16 10:01 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-11-16 09:56 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-11-16 09:56 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-11-16 09:56 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-11-16 09:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-11-16 09:56 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-11-16 09:56 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-11-16 09:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-11-16 09:56 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-11-16 09:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-11-16 09:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-11-16 09:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-11-16 09:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-11-16 09:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-11-16 09:36 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-11-14 20:02 -------- d-------- C:\Program Files\Electronic Arts
2006-11-14 19:57 -------- d-------- C:\Program Files\Maxis
2006-11-13 21:28 -------- d-------- C:\Program Files\BitTorrent
2006-11-08 18:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 13:25 118784 --a------ C:\WINDOWS\dsdxirmv.exe
2006-10-31 22:02 499712 --------- C:\WINDOWS\system32\msvcp71.dll
2006-10-31 22:02 348160 --------- C:\WINDOWS\system32\msvcr71.dll
2006-10-29 02:12 62 --ahs---- C:\Documents and Settings\Katie and Nigel\Application Data\desktop.ini
2006-10-28 13:25 0 -rahs---- C:\MSDOS.SYS
2006-10-28 13:25 0 -rahs---- C:\IO.SYS
2006-10-28 13:25 0 --a------ C:\CONFIG.SYS
2006-10-28 13:25 0 --a------ C:\AUTOEXEC.BAT
2006-10-20 02:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-14 01:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-14 01:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-14 01:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SkypeMate"="C:\\Program Files\\SkypeMate\\SkypeMate.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Power2GoExpress"=""
"BitTorrent"="\"C:\\PROGRA~1\\BITTOR~1\\BITTOR~1.EXE\" --force_start_minimized"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="soundman.exe"
"CountrySelection"="pctptt.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"BootSkin Startup Jobs"="\"C:\\PROGRA~1\\Stardock\\WINCUS~1\\BootSkin\\BootSkin.exe\" /StartupJobs"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"CloneCDElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"CloneCDTray"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\CloneCDTray.exe\""
"snpstd3"="C:\\WINDOWS\\vsnpstd3.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{8D5CED9F-53D5-4AF2-BCAD-601790EDB3B9}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsbp32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\xxyyyxv

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BitTorrent.job
C:\WINDOWS\tasks\closeme.job
C:\WINDOWS\tasks\LimeWire PRO 4.12.job

Completion time: 07-01-12 20:30:57.53
C:\ComboFix.txt ... 07-01-12 20:30
C:\ComboFix2.txt ... 07-01-06 10:56

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:03:44 AM

Posted 12 January 2007 - 07:33 PM

For this next step, copy Combofix.exe directly onto your desktop. You can remove it again after this step.

Click Start -> Run
Copy the command below and paste it into the Run box and click Ok.

"%userprofile%\desktop\combofix.exe" /v hgghf geecd yabcy ljjhfgd xxyyyxv winsbp32

When it's done running it will produce a log for you. Please post that log in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 msg83

msg83
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:09:44 PM

Posted 12 January 2007 - 07:56 PM

Katie and Nigel - 07-01-13 13:49:44.45 Service Pack 2
ComboFix 06.11.27 - Running from: "C:\Documents and Settings\Katie and Nigel\desktop"
Command switches used :: /v hgghf geecd yabcy ljjhfgd xxyyyxv winsbp32

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hgghf.dll
C:\WINDOWS\system32\geecd.dll
C:\WINDOWS\system32\yabcy.dll
C:\WINDOWS\system32\ljjhfgd.dll
C:\WINDOWS\system32\xxyyyxv.dll
C:\WINDOWS\system32\winsbp32.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Inetget2
C:\Program Files\Common Files\{CCA90367-0682-1033-0811-030918200001}


((((((((((((((((((((((((((((((( Files Created from 2006-12-13 to 2007-01-13 ))))))))))))))))))))))))))))))))))


2007-01-12 22:16 <DIR> d-------- C:\Program Files\Ipwindows
2007-01-12 22:13 22,541 ---hs---- C:\WINDOWS\system32\khfebxx.dll
2007-01-12 22:05 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-01-12 22:05 <DIR> d-------- C:\Program Files\Trend Micro
2007-01-11 22:01 <DIR> d-------- C:\WINDOWS\pss
2007-01-10 16:54 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-01-07 14:35 <DIR> d-------- C:\WINDOWS\Downloaded Installations
2007-01-07 14:35 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-01-07 14:16 <DIR> d-------- C:\!KillBox
2007-01-07 13:34 57,344 --a------ C:\WINDOWS\system32\WNASPINT.DLL
2007-01-07 13:33 <DIR> d-------- C:\Program Files\CDRWIN
2007-01-05 17:16 <DIR> d-------- C:\HijackThis
2007-01-05 16:43 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2007-01-05 16:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-01-04 16:54 212 --a------ C:\delete.bat
2007-01-04 16:52 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-01-03 21:31 <DIR> d-------- C:\Program Files\MagicISO
2007-01-02 21:46 <DIR> d-------- C:\Program Files\WinISO
2007-01-02 21:38 68,960 --a------ C:\WINDOWS\system32\drivers\Pcatip.sys
2007-01-02 21:38 39,488 --a------ C:\WINDOWS\system32\drivers\Pcouffin.sys
2007-01-02 21:38 <DIR> d-------- C:\Program Files\VSO
2007-01-02 15:11 <DIR> d-------- C:\Program Files\7-Zip
2006-12-31 01:10 <DIR> d-------- C:\Program Files\Azureus
2006-12-31 01:10 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Azureus
2006-12-31 01:07 <DIR> d-------- C:\WINDOWS\Sun
2006-12-31 01:07 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Sun
2006-12-29 20:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0 Setup Files
2006-12-29 20:55 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0
2006-12-29 20:55 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\SmartFTP
2006-12-29 19:11 <DIR> d-------- C:\Program Files\mIRC
2006-12-23 10:17 <DIR> d-------- C:\Program Files\Common Files\Reallusion
2006-12-22 20:40 <DIR> d-------- C:\Program Files\QuickTime
2006-12-22 20:40 <DIR> d-------- C:\Program Files\iTunes
2006-12-22 20:40 <DIR> d-------- C:\Program Files\iPod
2006-12-22 20:40 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Apple Computer
2006-12-22 20:39 <DIR> d-------- C:\Program Files\Apple Software Update
2006-12-22 20:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2006-12-13 21:58 <DIR> d-------- C:\Program Files\Lavasoft
2006-12-13 21:58 <DIR> d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Lavasoft


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-13 13:50 -------- d-------- C:\Program Files\Common Files
2007-01-13 13:42 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Skype
2007-01-12 16:22 -------- d-------- C:\Program Files\Mozilla Firefox
2007-01-11 19:38 -------- d-------- C:\Program Files\Mozilla Thunderbird
2007-01-10 19:56 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\AVG7
2007-01-10 18:25 -------- d-------- C:\Program Files\ScannerU
2007-01-10 18:20 -------- d-------- C:\Program Files\Internet Explorer
2007-01-10 17:22 -------- d-------- C:\Program Files\Windows Media Player
2007-01-08 12:56 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\BitTorrent
2006-12-30 23:50 -------- d---s---- C:\Documents and Settings\Katie and Nigel\Application Data\Microsoft
2006-12-23 10:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-12-23 10:17 -------- d-------- C:\Program Files\Reallusion
2006-12-15 03:00 -------- d-------- C:\Program Files\Outlook Express
2006-12-15 03:00 -------- d-------- C:\Program Files\Common Files\System
2006-12-13 19:53 -------- d-------- C:\Program Files\Common Files\Adobe
2006-12-13 19:53 -------- d-------- C:\Program Files\Adobe
2006-12-13 19:53 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Adobe
2006-12-13 07:55 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\LimeWire
2006-12-10 11:56 -------- d-------- C:\Program Files\eMule
2006-12-09 17:31 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Reallusion
2006-12-08 17:57 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\Real
2006-12-08 17:56 -------- d-------- C:\Program Files\Common Files\xing shared
2006-12-08 17:56 -------- d-------- C:\Program Files\Common Files\Real
2006-12-08 17:55 -------- d-------- C:\Program Files\Real
2006-12-07 20:18 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\DivX
2006-12-07 19:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-06 18:14 -------- d-------- C:\Program Files\DivX
2006-12-06 18:13 -------- d-------- C:\Program Files\Google
2006-12-03 21:43 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-12-03 21:43 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-12-03 21:43 3968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-12-03 21:43 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-12-03 21:43 18240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-12-03 09:54 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\CyberLink
2006-12-03 09:53 -------- d-------- C:\Program Files\CyberLink
2006-12-02 17:59 14 --a------ C:\WINDOWS\system32\systeminfo.dll
2006-12-02 17:59 -------- d-------- C:\Program Files\DVD X Studios
2006-11-26 20:33 -------- d-------- C:\Program Files\Digitalmax
2006-11-26 03:00 -------- d-------- C:\Program Files\MSXML 4.0
2006-11-24 17:48 -------- d-------- C:\Program Files\ImTOO
2006-11-23 20:06 -------- d-------- C:\Program Files\Elaborate Bytes
2006-11-23 16:19 -------- d-------- C:\Program Files\Multi Theft Auto
2006-11-23 15:56 -------- d-------- C:\Program Files\AvRack
2006-11-23 15:31 -------- d-------- C:\Program Files\Audacity
2006-11-23 11:50 -------- d-------- C:\Program Files\ViArt_shop_evaluation
2006-11-22 21:22 -------- d-------- C:\Program Files\CoffeeCup Software
2006-11-20 20:45 -------- d-------- C:\Documents and Settings\Katie and Nigel\Application Data\ArcSoft
2006-11-20 20:42 -------- d-------- C:\Program Files\Canon
2006-11-20 20:41 -------- d-------- C:\Program Files\ArcSoft
2006-11-19 17:27 -------- d-------- C:\Program Files\D-Link DSLs
2006-11-16 10:01 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-11-16 10:01 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-11-16 10:01 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-11-16 10:01 116984 --------- C:\WINDOWS\system32\pxinsi64.exe
2006-11-16 10:01 115960 --------- C:\WINDOWS\system32\pxcpyi64.exe
2006-11-16 10:01 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-11-16 09:56 806912 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-11-16 09:56 806912 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-11-16 09:56 790528 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-11-16 09:56 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-11-16 09:56 635486 --a------ C:\WINDOWS\system32\DivX.dll
2006-11-16 09:56 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-11-16 09:56 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-11-16 09:56 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-11-16 09:56 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-11-16 09:56 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-11-16 09:56 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-11-16 09:56 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-11-16 09:36 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-11-16 09:36 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-11-14 20:02 -------- d-------- C:\Program Files\Electronic Arts
2006-11-14 19:57 -------- d-------- C:\Program Files\Maxis
2006-11-13 21:28 -------- d-------- C:\Program Files\BitTorrent
2006-11-08 18:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll
2006-11-04 13:25 118784 --a------ C:\WINDOWS\dsdxirmv.exe
2006-10-31 22:02 499712 --------- C:\WINDOWS\system32\msvcp71.dll
2006-10-31 22:02 348160 --------- C:\WINDOWS\system32\msvcr71.dll
2006-10-29 02:12 62 --ahs---- C:\Documents and Settings\Katie and Nigel\Application Data\desktop.ini
2006-10-28 13:25 0 -rahs---- C:\MSDOS.SYS
2006-10-28 13:25 0 -rahs---- C:\IO.SYS
2006-10-28 13:25 0 --a------ C:\CONFIG.SYS
2006-10-28 13:25 0 --a------ C:\AUTOEXEC.BAT
2006-10-20 02:56 713216 --a------ C:\WINDOWS\system32\sxs.dll
2006-10-14 01:35 65536 --a------ C:\WINDOWS\system32\nwwks.dll
2006-10-14 01:35 64000 --a------ C:\WINDOWS\system32\nwapi32.dll
2006-10-14 01:35 142336 --a------ C:\WINDOWS\system32\nwprovau.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SkypeMate"="C:\\Program Files\\SkypeMate\\SkypeMate.exe"
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"Power2GoExpress"=""
"BitTorrent"="\"C:\\PROGRA~1\\BITTOR~1\\BITTOR~1.EXE\" --force_start_minimized"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="soundman.exe"
"CountrySelection"="pctptt.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"BootSkin Startup Jobs"="\"C:\\PROGRA~1\\Stardock\\WINCUS~1\\BootSkin\\BootSkin.exe\" /StartupJobs"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"CloneCDElbyCDFL"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\ElbyCheck.exe\" /L ElbyCDFL"
"CloneCDTray"="\"C:\\Program Files\\Elaborate Bytes\\CloneCD\\CloneCDTray.exe\""
"snpstd3"="C:\\WINDOWS\\vsnpstd3.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\BitTorrent.job
C:\WINDOWS\tasks\closeme.job
C:\WINDOWS\tasks\LimeWire PRO 4.12.job

Completion time: 07-01-13 13:53:31.91
C:\ComboFix.txt ... 07-01-13 13:53
C:\ComboFix2.txt ... 07-01-12 20:30
C:\ComboFix3.txt ... 07-01-06 10:56




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users