Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Infected With Adw_clicker.gf & Adw_winfixer.aa


  • Please log in to reply
13 replies to this topic

#1 avandelay

avandelay

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 25 April 2007 - 07:16 PM

Hello! My name is Art, Thank You in advance for you help. I am having problems with my computer running extremely slow, getting IE popups (Ads for WinAntiVirus), and crashing about every 30 minutes. I have ran every anti-virus/adware/spyware/malware known to man. This includes Mcafee, Trend Micro, Norton, Adaware, Spybot, etc. Micro removes ADW_CLICKER.GF & ADW_WINFIXER.AA but they keep coming back. Now my computer runs so slow its hardly operable. So here is my Hijackthis log any help would be sincerely appriciated:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:23 AM, on 4/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe
F:\sugar\SugarCRM\oss\mysql\bin\mysqld-opt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe
C:\Program Files\WebDrive\wdService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\StickyNote\StickyNote.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PCCMAIN.EXE
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Anthony\Local Settings\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\wxbpj.dll/sp.html#37049
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\rwhgxmoa.dll",setvm
O4 - Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11111111-1111-1111-1111-222222222222} - ms-its:mhtml:file://C: oo.mht!http://www.drunk-sex-orgy.com/mad/bighelp2.chm::/uninst.exe
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {24311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {33331111-1111-1111-1111-611111193457} - file://c:\ex.cab
O16 - DPF: {33331111-1111-1111-1111-611111193458} - file://c:\ex.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {64311111-1111-1121-1111-111191113457} - file://c:\eied_s7.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145995670218
O16 - DPF: {72C9EA8F-8965-40C2-ABAD-D460A5815F86} (hostCntrlIE Class) - http://vhost.oddcast.com/admin/hostClientIE.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.aim.com/ygp/aol/plugin/u...-AIM.95.1.8.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - mk:@MSITStore:C:\DOCUME~1\Anthony\LOCALS~1\Temp\winfix.chm::/SystemDoctor2006FreeInstall.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O21 - SSODL: SystemCheck2 - {54645654-2225-4455-44A1-9F4543D34546} - C:\WINDOWS\System32\vbsys2.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: Ntstyle - {11857D33-E8F6-452E-B914-3E8DF39B0707} - C:\WINDOWS\system32\netblog.dll
O23 - Service: Apache2 - Unknown owner - F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - F:\sugar\SugarCRM\oss\mysql\bin\mysqld-opt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe


Thank You!

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:48 AM

Posted 26 April 2007 - 08:40 AM

As you suspect, there are malware entries showing on your log.

However, before starting the removal process, please make sure HikackThis is in its own folder, to keep its backups securely.

Create a folder like: C:\Program Files\HijackThis, or, if you want to keep the program on the Desktop, right click an empty area, select New > Folder, name the folder HijackThis, and place the HijackThis.exe file in it.

Then, run the program from its own folder from now on.

~~~~
Next, download SilentRunners:
http://www.silentrunners.org/Silent%20Runners.zip
Unzip it to the Desktop and double-click on SilentRunners.vbs

There is malware that hides, and SilentRunners may show its Registry keys, if HijackThis does not.

If an alert about scripting appears from your anti-virus, choose to allow the script to run.
When the scan is done, Notepad opens with a log which is saved in the SilentRunners folder.

Please provide the content of the SilentRunners log in your reply.

Old duck...


#3 avandelay

avandelay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 26 April 2007 - 02:49 PM

Thanks for your help Aflac. After I posted yesterday I saw another post with a similar problem. I followed some of the following instructions:

1.) Renamed Hijackthis.exe. Re-ran the program and deleted some bad entries I saw on another forum.
2.) Ran ComboFix, AVG Anti-Spyware, and VundoFix. The first two found problems, but VundoFix did not.


The popups have stopped, but the computer is still running very slow and the cursor is stopping after every few letters that I type. The culprit is definitly still there.

I also did what you said by putting hijackthis into a new folder, and ran Silent Runners. Below I posted the logs from ComboFix, AVG Anti-Spyware, Hijackthis (after deleting the bad entries), and Silent Runner. Hope to talk to you soon.

Silent Runners
"Silent Runners.vbs", revision R50, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ {++}
"ecrz" = "C:\WINDOWS\System32\ecrz.exe" [file not found]
"wmplayer" = "C:\Program Files\Windows Media Player\wmplayer.exe" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\ {++}
"pccguide.exe" = ""C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"" ["Trend Micro Incorporated."]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Active Setup\Installed Components\
>{26923b43-4d38-484f-9b9e-de460746276c}\(Default) = "Internet Explorer"
\StubPath = "C:\WINDOWS\system32\ie4uinit.exe -UserIconConfig" [MS]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{53707962-6F74-2D53-2644-206D7942484F}\(Default) = (no title provided)
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\SPYBOT~1\SDHelper.dll" ["Safer Networking Limited"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{955B7B84-5308-419c-8ED8-0B9CA3C56985}" = "America Online"
-> {HKLM...CLSID} = "America Online"
\InProcServer32\(Default) = "C:\PROGRA~1\COMMON~1\aolshare\shell\us\shellext.dll" ["America Online, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{C56C4E21-706D-11d0-AFC5-444553540002}" = "My Digital Camera"
-> {HKLM...CLSID} = "My Digital Camera"
\InProcServer32\(Default) = "blank" [file not found]
"{1EBC3533-B289-409F-9924-B84B3F0717D2}" = "AceFTP Context Menu Shell Extension"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\ACEFTP~1\ftpcntxt.dll" ["Visicom Media Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {HKLM...CLSID} = "RealOne Player Context Menu Class"
\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{6af09ec9-b429-11d4-a1fb-0090960218cb}" = "My Bluetooth Places"
-> {HKLM...CLSID} = "My Bluetooth Places"
\InProcServer32\(Default) = "C:\WINDOWS\System32\btneighborhood.dll" ["Broadcom Corporation."]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~4\Office\OLKFSTUB.DLL" [MS]
"{04466240-beb3-11d1-be1c-00aa006b77f4}" = "WebDrive Shell Extension"
-> {HKLM...CLSID} = "WebDrive Shell Extension"
\InProcServer32\(Default) = "wdShellExt.dll" ["South River Technologies, LLC"]
"{7D5C4BDD-B015-4401-8731-1507B87DE297}" = "QBVersionTool"
-> {HKLM...CLSID} = "VersionShellExt Class"
\InProcServer32\(Default) = "C:\Program Files\Common Files\Intuit\QuickBooks\QBVersionTool.dll" ["TODO: <Company name>"]
"{0D6D4F41-2994-4ba0-8FEF-620E43CD2812}" = "IE Microsoft Internet Toolbar"
-> {HKLM...CLSID} = "IE Microsoft Internet Toolbar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{482A7CB3-2EDF-4595-A315-A5244F1E96E6}" = "IE Search Control"
-> {HKLM...CLSID} = "IE Search Control"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{6D8BB3D3-9D87-4a91-AB56-4F30CFFEFE9F}" = "Explorer Search Band"
-> {HKLM...CLSID} = "Explorer Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{7E48925F-FF5C-47fa-A99A-F5912A10623B}" = "IE Address EditBox"
-> {HKLM...CLSID} = "IE Address EditBox"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{C4EC38BD-4E9E-4b5e-935A-D1BFF237D980}" = "Explorer Travel Band"
-> {HKLM...CLSID} = "Explorer Travel Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{DE011590-0531-4804-9C9C-3FEDC7E6E5C8}" = "IE &Address"
-> {HKLM...CLSID} = "IE &Address"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{E66A25D8-CE51-4611-A6CE-D5E08EB33A5C}" = "BMenuPlg"
-> {HKLM...CLSID} = "BMenuPlg"
\InProcServer32\(Default) = "C:\WINDOWS\system32\BMenuPlg.dll" ["FoxBurner Ltd."]
"{48F45200-91E6-11CE-8A4F-0080C81A28D4}" = "TMD Shell Extension"
-> {HKLM...CLSID} = "TMD Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\Tmdshell.dll" ["Trend Micro Incorporated."]
"{771A9DA0-731A-11CE-993C-00AA004ADB6C}" = "VBPropSheet"
-> {HKLM...CLSID} = "VBPropSheet"
\InProcServer32\(Default) = "C:\Program Files\Trend Micro\Internet Security 2006\VBProp.dll" ["Trend Micro Incorporated."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
<<!>> "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}" = "AVG Anti-Spyware 7.5"
-> {HKLM...CLSID} = "CShellExecuteHookImpl Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\
"WPDShServiceObj" = "{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
-> {HKLM...CLSID} = "WPDShServiceObj Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\WPDShServiceObj.dll" [MS]

HKLM\System\CurrentControlSet\Control\Session Manager\
<<!>> "BootExecute" = "autocheck autochk *"|"SsiEfr.e" [file not found]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
<<!>> igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
AceFTP\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\ACEFTP~1\ftpcntxt.dll" ["Visicom Media Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
BMenuPlg\(Default) = "{E66A25D8-CE51-4611-A6CE-D5E08EB33A5C}"
-> {HKLM...CLSID} = "BMenuPlg"
\InProcServer32\(Default) = "C:\WINDOWS\system32\BMenuPlg.dll" ["FoxBurner Ltd."]
WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}"
-> {HKLM...CLSID} = "WebDrive Shell Extension"
\InProcServer32\(Default) = "wdShellExt.dll" ["South River Technologies, LLC"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
Yahoo! Mail\(Default) = "{5464D816-CF16-4784-B9F3-75C0DB52B499}"
-> {HKLM...CLSID} = "YMailShellExt Class"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
AceFTP\(Default) = "{1EBC3533-B289-409F-9924-B84B3F0717D2}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\PROGRA~1\VISICO~1\ACEFTP~1\ftpcntxt.dll" ["Visicom Media Inc."]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
BMenuPlg\(Default) = "{E66A25D8-CE51-4611-A6CE-D5E08EB33A5C}"
-> {HKLM...CLSID} = "BMenuPlg"
\InProcServer32\(Default) = "C:\WINDOWS\system32\BMenuPlg.dll" ["FoxBurner Ltd."]
WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}"
-> {HKLM...CLSID} = "WebDrive Shell Extension"
\InProcServer32\(Default) = "wdShellExt.dll" ["South River Technologies, LLC"]
WinZip\(Default) = "{E0D79304-84BE-11CE-9641-444553540000}"
-> {HKLM...CLSID} = "WinZip"
\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Classes\AllFilesystemObjects\shellex\ContextMenuHandlers\
WebDrive\(Default) = "{04466240-beb3-11d1-be1c-00aa006b77f4}"
-> {HKLM...CLSID} = "WebDrive Shell Extension"
\InProcServer32\(Default) = "wdShellExt.dll" ["South River Technologies, LLC"]


Group Policies {policy setting}:
--------------------------------

Note: detected settings may not have any effect.

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"_NoDriveTypeAutoRun" = (REG_DWORD) hex:0x00000091
{unrecognized setting}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\

"NoCDBurning" = (REG_DWORD) hex:0x00000000
{unrecognized setting}

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"DisableRegistryTools" = (REG_DWORD) hex:0x00000000
{Prevent access to registry editing tools}

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\

"shutdownwithoutlogon" = (REG_DWORD) hex:0x00000001
{Shutdown: Allow system to be shut down without having to log on}

"undockwithoutlogon" = (REG_DWORD) hex:0x00000001
{Devices: Allow undock without having to log on}


Active Desktop and Wallpaper:
-----------------------------

Active Desktop may be disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Anthony" & "All Users" startup folders:
---------------------------------------------------------

C:\Documents and Settings\Anthony\Start Menu\Programs\Startup
"StickyNote" -> shortcut to: "C:\Program Files\StickyNote\StickyNote.exe" ["Tenebril Incorporated"]


Enabled Scheduled Tasks:
------------------------

"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]
"XoftSpy" -> launches: "C:\Program Files\XoftSpy\XoftSpy.exe -t" [file not found]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 31
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{F2CF5485-4E02-4F68-819C-B92DE9277049}"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\ieframe.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{F053C368-5458-45B2-9B4D-D8914BDDDBFF}" = (no title provided)
-> {HKLM...CLSID} = "TextAloud"
\InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [empty string]

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]
{9404901D-06DA-4B23-A0EE-3EA4F64EC9B3}\(Default) = (no title provided)
-> {HKLM...CLSID} = "MoneySide"
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\(Default) = (no title provided)
-> {HKLM...CLSID} = "&Yahoo! Messenger"
\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\yhexbmesus.dll" ["Yahoo! Inc."]
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\(Default) = (no title provided)
-> {HKLM...CLSID} = "Real.com"
\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Classes\CLSID\{44226DFF-747E-4EDC-B30C-78752E50CD0C}\(Default) = "&ATI TV"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL" ["ATI Technologies Inc."]

HKLM\Software\Classes\CLSID\{F053C368-5458-45B2-9B4D-D8914BDDDBFF}\(Default) = "TextAloud"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\PROGRA~1\TEXTAL~1\TAForIE.dll" [empty string]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{08B0E5C0-4FCB-11CF-AAA5-00401C608501}"
-> {HKLM...CLSID} = "Web Browser Applet Control"
\InProcServer32\(Default) = "C:\WINDOWS\System32\msjava.dll" [MS]

{44226DFF-747E-4EDC-B30C-78752E50CD0C}\
"ButtonText" = "ATI TV"

{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}\
"ButtonText" = "Yahoo! Services"
"CLSIDExtension" = "{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"
-> {HKLM...CLSID} = "Yahoo! IE Services Button"
\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Common\yiesrvc.dll" [file not found]

{CCA281CA-C863-46EF-9331-5C8D4460577F}\
"ButtonText" = "@btrez.dll,-4015"
"MenuText" = "@btrez.dll,-4017"
"Script" = "C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm" [null data]

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"

{E023F504-0C5A-4750-A1E7-A9046DEA8A21}\
"ButtonText" = "MoneySide"
"CLSIDExtension" = "{301DA1EE-F65C-4188-A417-9E915CC8FBFA}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Microsoft Money\System\mnyviewer.dll" [MS]

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "Messenger"
"MenuText" = "Windows Messenger"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Internet Explorer Address Prefixes:
-----------------------------------

Prefix for specific service (i.e., "www")

HKLM\Software\Microsoft\Windows\CurrentVersion\URL\Prefixes\
<<H>> "SearchAssistant" = "http://hhnihy.outhost.info/sp.php"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

Apache2, Apache2, ""F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe" -k runservice" ["Apache Software Foundation"]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
MySQL, MySQL, "F:\sugar\SugarCRM\oss\mysql\bin\mysqld-opt MySQL" [null data]
Trend Micro Central Control Component, PcCtlCom, "C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe" ["Trend Micro Incorporated."]
Trend Micro Personal Firewall, TmPfw, "C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe" ["Trend Micro Inc."]
Trend Micro Proxy Service, tmproxy, "C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe" ["Trend Micro Inc."]
Trend Micro Real-time Service, Tmntsrv, "C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe" ["Trend Micro Incorporated."]
WAN Miniport (ATW) Service, WANMiniportService, ""C:\WINDOWS\wanmpsvc.exe"" ["America Online, Inc."]
WebDrive Service, WebDriveService, "C:\Program Files\WebDrive\wdService.exe" ["South River Technologies, LLC"]
Windows Driver Foundation - User-mode Driver Framework, WudfSvc, "C:\WINDOWS\system32\svchost.exe -k WudfServiceGroup" {"C:\WINDOWS\System32\WUDFSvc.dll" [MS]}


Print Monitors:
---------------

HKLM\System\CurrentControlSet\Control\Print\Monitors\
Bluetooth Printer Port\Driver = "bthcrp.dll" ["Broadcom Corporation."]
PDF995 Monitor\Driver = "pdf995mon.dll" [null data]
PDI Port\Driver = "PDIPortNT.dll" ["Neovi Data Corporation"]


----------
<<!>>: Suspicious data at a malware launch point.
<<H>>: Suspicious data at a browser hijack point.

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points, use the -supp parameter or answer "No" at the
first message box and "Yes" at the second message box.
---------- (total run time: 296 seconds, including 26 seconds for message boxes)


Hijackthis

Logfile of HijackThis v1.99.1
Scan saved at 11:30:07 AM, on 4/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe
F:\sugar\SugarCRM\oss\mysql\bin\mysqld-opt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\WINDOWS\wanmpsvc.exe
F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe
C:\Program Files\WebDrive\wdService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\StickyNote\StickyNote.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Anthony\Desktop\youknow.exe
C:\Documents and Settings\Anthony\Desktop\youknow\youknow.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145995670218
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.aim.com/ygp/aol/plugin/u...-AIM.95.1.8.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache2 - Unknown owner - F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - F:\sugar\SugarCRM\oss\mysql\bin\mysqld-opt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe


ComboFix



"Anthony" - 07-04-25 21:07:33 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Anthony\"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddcyx.dll
C:\WINDOWS\system32\mljjj.dll
C:\WINDOWS\system32\vturs.dll
C:\WINDOWS\system32\urqnlmn.dll
C:\WINDOWS\system32\xycdd.ini
C:\WINDOWS\system32\jjjlm.ini
C:\WINDOWS\system32\ststv.bak1
C:\WINDOWS\system32\ststv.bak2
C:\WINDOWS\system32\ststv.ini
C:\WINDOWS\system32\vtsts.dll
C:\WINDOWS\system32\opnnkhg.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1281OinAdmin.exe
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\WINDOWS\system32\mssv32.exe
C:\DOCUME~1\Anthony\APPLIC~1\Sskcwrd.dll
C:\DOCUME~1\Anthony\APPLIC~1\Sskknwrd.dll
C:\DOCUME~1\Anthony\APPLIC~1\Sskuknwrd.dll
C:\Program Files\outerinfo\Terms.rtf
C:\WINDOWS\system32\msst.exe
C:\WINDOWS\system32\sysdm.exe
C:\install.log
C:\WINDOWS\sysdk.exe
C:\WINDOWS\winhp32.exe
C:\Program Files\inetget2
C:\Program Files\outerinfo
C:\Program Files\surfsidekick 3
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\C\DOCUME~1
C:\qoobox\purity\C\DOCUME~1\Anthony
C:\qoobox\purity\C\DOCUME~1\Anthony\MYDOCU~1
C:\qoobox\purity\C\DOCUME~1\Anthony\MYDOCU~1\SSEMBL~1
C:\qoobox\purity\C\DOCUME~1\Anthony\MYDOCU~1\SSEMBL~1\?ssembly
C:\qoobox\purity\C\WINDOWS\WNSXS~1


((((((((((((((((((((((((((((((( Files Created from 2007-03-25 to 2007-04-25 ))))))))))))))))))))))))))))))))))


2007-04-25 20:26 11,927,554 --a------ C:\42407backup.reg
2007-04-25 12:25 132,660 --a------ C:\WINDOWS\system32\aogblckp.dll
2007-04-25 02:49 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-04-25 02:46 786,432 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-22 21:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-04-22 03:13 25,983 --a------ C:\WINDOWS\system32\awvtr.dll
2007-04-22 02:13 12,843 --a------ C:\WINDOWS\system32\mljgf.dll
2007-04-21 23:05 2 --a------ C:\WINDOWS\system32\wnsapitr32.exe
2007-04-17 11:48 <DIR> d-------- C:\Program Files\MSN Messenger
2007-04-11 00:08 <DIR> d-------- C:\DOCUME~1\Anthony\APPLIC~1\Viewpoint
2007-04-10 22:15 <DIR> d-------- C:\Downloads
2007-04-02 23:25 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2007-03-28 22:40 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-03-28 22:40 <DIR> d-------- C:\Program Files\StickyNote
2007-03-28 22:40 <DIR> d-------- C:\DOCUME~1\Anthony\APPLIC~1\Tenebril


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-25 21:10 -------- d-------- C:\Program Files\textaloud
2007-04-25 02:32 -------- d-------- C:\Program Files\iwin games
2007-04-25 02:15 -------- d-------- C:\Program Files\viewpoint
2007-04-22 16:30 -------- d-------- C:\Program Files\napster
2007-03-17 06:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-05 23:13 -------- d--h----- C:\Program Files\ynot
2007-02-05 13:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-28 20:54 9207 --a------ C:\WINDOWS\mozver.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"pccguide.exe"="\"C:\\Program Files\\Trend Micro\\Internet Security 2006\\pccguide.exe\""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Symantec Network Driver Update Warning"="C:\\PROGRA~1\\Symantec\\LIVEUP~1\\SNDWarn.EXE"
"ALUAlert"="C:\\Program Files\\Symantec\\LiveUpdate\\ALUNotify.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"ecrz"="C:\\WINDOWS\\System32\\ecrz.exe"
"wmplayer"="C:\\Program Files\\Windows Media Player\\wmplayer.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"_NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\HackerDefender100

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AOL Companion.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AOL Companion.lnk"
"backup"="C:\\WINDOWS\\pss\\AOL Companion.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AOLCOM~1\\COMPAN~1.EXE /s"
"item"="AOL Companion"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Bluetooth.lnk"
"backup"="C:\\WINDOWS\\pss\\Bluetooth.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WIDCOMM\\BLUETO~1\\BTTray.exe "
"item"="Bluetooth"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Device Detector 3.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Device Detector 3.lnk"
"backup"="C:\\WINDOWS\\pss\\Device Detector 3.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Olympus\\DEVICE~1\\DevDtct2.exe "
"item"="Device Detector 3"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Exif Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Exif Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Exif Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\FINEPI~1\\QuickDCF.exe "
"item"="Exif Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HPAiODevice(hp psc 900 series) - 1.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HPAiODevice(hp psc 900 series) - 1.lnk"
"backup"="C:\\WINDOWS\\pss\\HPAiODevice(hp psc 900 series) - 1.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\AiO\\HPPSC9~1\\Bin\\hpobrt07.exe -DeviceID 1071094619"
"item"="HPAiODevice(hp psc 900 series) - 1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~4\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdateexe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SBC Self Support Tool.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\SBC Self Support Tool.lnk"
"backup"="C:\\WINDOWS\\pss\\SBC Self Support Tool.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SBCSEL~1\\bin\\matcli.exe -boot"
"item"="SBC Self Support Tool"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Anthony^Start Menu^Programs^Startup^Hewlett-Packard Recorder.lnk]
"path"="C:\\Documents and Settings\\Anthony\\Start Menu\\Programs\\Startup\\Hewlett-Packard Recorder.lnk"
"backup"="C:\\WINDOWS\\pss\\Hewlett-Packard Recorder.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\HEWLET~1\\AiO\\HPPSC9~1\\FRU\\Remind32.exe "
"item"="Hewlett-Packard Recorder"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLLaunch"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\AOL\\Launch\\AOLLaunch.exe\" /d locale=en-US ee://aol/imApp"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Anonymizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Anonymizer"
"hkey"="HKCU"
"command"="C:\\Program Files\\Anonymizer\\Anonymizer Software\\Anonymizer.exe -nogui"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Launchpad]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="launchpd"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\ATI Multimedia\\main\\launchpd.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATI Remote Control]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ATIX10"
"hkey"="HKCU"
"command"="C:\\Program Files\\ATI Multimedia\\RemCtrl\\ATIX10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Awru]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="logonui"
"hkey"="HKCU"
"command"="\"C:\\DOCUME~1\\Anthony\\MYDOCU~1\\SSEMBL~1\\logonui.exe\" -vt yazb"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dlmMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeDownloadManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Adobe\\ESD\\AdobeDownloadManager.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DR_S]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DR_S"
"hkey"="HKCU"
"command"="C:\\Program Files\\DR_S\\DR_S.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Core"
"hkey"="HKCU"
"command"="C:\\Program Files\\Electronic Arts\\EA Downloader\\Core.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EZ Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ezscheduler"
"hkey"="HKLM"
"command"="C:\\Program Files\\American Systems\\EZ Scheduler\\ezscheduler.exe /m"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FreeRAM XP Pro"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\YourWare Solutions\\FreeRAM XP Pro\\FreeRAM XP Pro.exe\" -win"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133580579\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hkcmd"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\hkcmd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HydraVisionDesktopManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HydraDM"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\HydraVision\\HydraDM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:48 AM

Posted 26 April 2007 - 08:02 PM

Please do the following:

Download SuperAntiSpyware Home Edition Free Version
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE
Install the program

Run SuperAntiSpyware and click: Check for updates
Once the update is finished, on the main screen, click: Scan your computer
Check: Perform Complete Scan
Click Next to start the scan.

Superantispyware scans the computer, and when finished, lists all the infections found.
Make sure everything found has a check next to it, and press: Next
Click Finish

It is possible that the program asks to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click: Preferences
Click the Statistics/Logs tab
Under Scanner Logs, double-click SuperAntiSpyware Scan Log
It opens in your default text editor (such as Notepad)

Please copy the information in the SuperAntiSpyware log and post in your reply.

Old duck...


#5 avandelay

avandelay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 27 April 2007 - 01:23 AM

Wow, I can't believe how much crap it found. It seems like everytime I run a different anti-virus program, it finds hundreds of different threats the others didn't find. Do you recommend running several of these programs regularly to keep the computer clean? Which ones do you use?

I'll report back if I find the problem is still there. Thanks a lot for your help... Here is the log....

SUPERAntiSpyware Scan Log
Generated 04/26/2007 at 10:39 PM

Application Version : 3.6.1000

Core Rules Database Version : 3226
Trace Rules Database Version: 1237

Scan type : Complete Scan
Total Scan Time : 01:49:26

Memory items scanned : 399
Memory threats detected : 0
Registry items scanned : 20795
Registry threats detected : 110
File items scanned : 110882
File threats detected : 523

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{04FA0937-0930-1006-31A1-535AEA9649FE}
HKLM\Software\Classes\CLSID\{117089AA-D3C6-C679-D791-5088F7B82125}
HKLM\Software\Classes\CLSID\{127B258A-8F8E-75B6-D538-4A7711988318}
HKLM\Software\Classes\CLSID\{2627C43B-FB1D-F815-04DA-3D4D787AEB82}
HKLM\Software\Classes\CLSID\{264D7706-46BC-1C89-7DC5-AC71424D3C22}
HKLM\Software\Classes\CLSID\{321EE6F6-38D2-4E50-0092-8423258A5117}
HKLM\Software\Classes\CLSID\{5395C6CC-9119-AA2E-B008-2D31A543B883}
HKLM\Software\Classes\CLSID\{6C2A592C-2CEB-91F6-ABFC-8A6CAA196309}
HKLM\Software\Classes\CLSID\{8F0FC018-8D8D-4312-9ED6-74A5932242DD}
HKCR\CLSID\{8F0FC018-8D8D-4312-9ED6-74A5932242DD}
HKCR\CLSID\{8F0FC018-8D8D-4312-9ED6-74A5932242DD}
HKCR\CLSID\{8F0FC018-8D8D-4312-9ED6-74A5932242DD}\InprocServer32
HKCR\CLSID\{8F0FC018-8D8D-4312-9ED6-74A5932242DD}\InprocServer32#ThreadingModel
HKCR\CLSID\{8F0FC018-8D8D-4312-9ED6-74A5932242DD}\ProgID
C:\WINDOWS\SYSTEM32\COMPWIZ.DLL
HKLM\Software\Classes\CLSID\{9CC8F542-1A40-D18B-FB14-9CD9B4908857}
HKLM\Software\Classes\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}
HKLM\Software\Classes\CLSID\{C88C5868-A520-9D6E-B1C4-AA3EABDBF5E4}
HKLM\Software\Classes\CLSID\{D89FEB47-489B-5DB5-8F56-21233C5B92D4}
HKLM\Software\Classes\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}
HKLM\Software\Classes\CLSID\{daa873d4-958c-453c-81ca-3fe6f3676a87}
HKCR\CLSID\{DAA873D4-958C-453C-81CA-3FE6F3676A87}
HKCR\CLSID\{DAA873D4-958C-453C-81CA-3FE6F3676A87}\InprocServer32
C:\WINDOWS\SYSTEM32:DDAA.DLL
HKLM\Software\Classes\CLSID\{DAD64CB5-6A52-35C2-38BD-73771485436C}
HKLM\Software\Classes\CLSID\{E07FEBA7-DA76-CC40-6C75-197B46A15FC9}
HKCR\CLSID\{04FA0937-0930-1006-31A1-535AEA9649FE}
HKCR\CLSID\{04FA0937-0930-1006-31A1-535AEA9649FE}\Data
HKCR\CLSID\{117089AA-D3C6-C679-D791-5088F7B82125}
HKCR\CLSID\{117089AA-D3C6-C679-D791-5088F7B82125}\Data
HKCR\CLSID\{127B258A-8F8E-75B6-D538-4A7711988318}
HKCR\CLSID\{127B258A-8F8E-75B6-D538-4A7711988318}\Data
HKCR\CLSID\{5395C6CC-9119-AA2E-B008-2D31A543B883}
HKCR\CLSID\{5395C6CC-9119-AA2E-B008-2D31A543B883}\Data
HKCR\CLSID\{9CC8F542-1A40-D18B-FB14-9CD9B4908857}
HKCR\CLSID\{9CC8F542-1A40-D18B-FB14-9CD9B4908857}\Data
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}
HKCR\CLSID\{B9EE66CA-433D-7E40-0E41-7DBE07FC4F7A}\Data
HKCR\CLSID\{C88C5868-A520-9D6E-B1C4-AA3EABDBF5E4}
HKCR\CLSID\{C88C5868-A520-9D6E-B1C4-AA3EABDBF5E4}\Data
HKCR\CLSID\{DAA873D4-958C-453C-81CA-3FE6F3676A87}
HKCR\CLSID\{264D7706-46BC-1C89-7DC5-AC71424D3C22}
HKCR\CLSID\{264D7706-46BC-1C89-7DC5-AC71424D3C22}\Data
HKCR\CLSID\{DAD64CB5-6A52-35C2-38BD-73771485436C}
HKCR\CLSID\{DAD64CB5-6A52-35C2-38BD-73771485436C}\Data
HKCR\CLSID\{321EE6F6-38D2-4E50-0092-8423258A5117}
HKCR\CLSID\{321EE6F6-38D2-4E50-0092-8423258A5117}\Data
HKCR\CLSID\{6C2A592C-2CEB-91F6-ABFC-8A6CAA196309}
HKCR\CLSID\{6C2A592C-2CEB-91F6-ABFC-8A6CAA196309}\Data
HKCR\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}
HKCR\CLSID\{D9E6A9B5-3F53-2528-E4D5-6A543FF55E1D}\Data
HKCR\CLSID\{E07FEBA7-DA76-CC40-6C75-197B46A15FC9}
HKCR\CLSID\{E07FEBA7-DA76-CC40-6C75-197B46A15FC9}\Data
HKCR\CLSID\{2627C43B-FB1D-F815-04DA-3D4D787AEB82}
HKCR\CLSID\{2627C43B-FB1D-F815-04DA-3D4D787AEB82}\Data
HKCR\CLSID\{D89FEB47-489B-5DB5-8F56-21233C5B92D4}
HKCR\CLSID\{D89FEB47-489B-5DB5-8F56-21233C5B92D4}\Data
C:\WINDOWS\MFCFQ.EXE
C:\WINDOWS\SYSTEM32\MFCFQ.EXE
C:\WINDOWS\SYSTEM32\NTFW32.EXE

Parasite.CoolWebSearch Variant
HKLM\Software\Classes\CLSID\{11B80E45-BEC0-8756-1DFA-87AE79FA25EC}
HKLM\Software\Classes\CLSID\{12F72849-7A03-E428-0E12-0915087880FF}
HKLM\Software\Classes\CLSID\{24F52FD3-D9CD-C5B4-2108-1DBD812D6F79}
HKLM\Software\Classes\CLSID\{50B9D537-5DB0-52B1-FF6F-ED6C70DA477E}
HKLM\Software\Classes\CLSID\{64B4C959-F47C-E57E-A0E5-F99C903141A2}
HKLM\Software\Classes\CLSID\{B4F8C4E0-F516-5DEF-B102-AAF1ADBCBB04}
HKLM\Software\Classes\CLSID\{C448539A-1A24-DCB9-3152-D2DCA94E1831}
HKLM\Software\Classes\CLSID\{D0F03457-32E5-5715-6CDD-72C94F05ABBE}
HKLM\Software\Classes\CLSID\{DE009CAE-4B28-D350-13CF-E88F46A3C5C3}
HKLM\Software\Classes\CLSID\{F74BE206-1DFE-36CA-AD40-4E17A18DEFF4}
HKLM\Software\Classes\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F}
HKCR\CLSID\{11B80E45-BEC0-8756-1DFA-87AE79FA25EC}
HKCR\CLSID\{11B80E45-BEC0-8756-1DFA-87AE79FA25EC}\Data
HKCR\CLSID\{12F72849-7A03-E428-0E12-0915087880FF}
HKCR\CLSID\{12F72849-7A03-E428-0E12-0915087880FF}\Data
HKCR\CLSID\{24F52FD3-D9CD-C5B4-2108-1DBD812D6F79}
HKCR\CLSID\{24F52FD3-D9CD-C5B4-2108-1DBD812D6F79}\Data
HKCR\CLSID\{50B9D537-5DB0-52B1-FF6F-ED6C70DA477E}
HKCR\CLSID\{50B9D537-5DB0-52B1-FF6F-ED6C70DA477E}\Data
HKCR\CLSID\{64B4C959-F47C-E57E-A0E5-F99C903141A2}
HKCR\CLSID\{64B4C959-F47C-E57E-A0E5-F99C903141A2}\Data
HKCR\CLSID\{B4F8C4E0-F516-5DEF-B102-AAF1ADBCBB04}
HKCR\CLSID\{B4F8C4E0-F516-5DEF-B102-AAF1ADBCBB04}\Data
HKCR\CLSID\{C448539A-1A24-DCB9-3152-D2DCA94E1831}
HKCR\CLSID\{C448539A-1A24-DCB9-3152-D2DCA94E1831}\Data
HKCR\CLSID\{D0F03457-32E5-5715-6CDD-72C94F05ABBE}
HKCR\CLSID\{D0F03457-32E5-5715-6CDD-72C94F05ABBE}\Data
HKCR\CLSID\{DE009CAE-4B28-D350-13CF-E88F46A3C5C3}
HKCR\CLSID\{DE009CAE-4B28-D350-13CF-E88F46A3C5C3}\Data
HKCR\CLSID\{F74BE206-1DFE-36CA-AD40-4E17A18DEFF4}
HKCR\CLSID\{F74BE206-1DFE-36CA-AD40-4E17A18DEFF4}\Data
HKCR\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F}
HKCR\CLSID\{FB2B91F2-20FB-CDCE-D34A-E50E5910E44F}\Data

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{A98A8454-FAAC-4DD1-B0D9-219D56C14053}
HKCR\CLSID\{A98A8454-FAAC-4DD1-B0D9-219D56C14053}
HKCR\CLSID\{A98A8454-FAAC-4DD1-B0D9-219D56C14053}\InprocServer32
HKCR\CLSID\{A98A8454-FAAC-4DD1-B0D9-219D56C14053}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\PMKHH.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Anthony\Cookies\anthony@fortunecity[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@bidtool.overture[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@realmedia[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@questionmarket[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@windowsmedia[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@icc.intellisrv[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@yourmedia[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@ad1.dc1.sonixtream[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@perf.overture[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@overture[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@trafficmp[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@ads.revsci[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@nextag[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@go.winantivirus[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@mediaplex[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@doubleclick[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@ad.adserverplus[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@www.xctrk[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@cgi-bin[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@cpvfeed[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@zedo[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@stats1.clicktracks[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@adecn[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@statse.webtrendslive[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@serving.rpowermedia[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@burstnet[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@fastclick[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@exitexchange[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@drivecleaner[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@ad.outerinfo[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@publishers.clickbooth[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@www.winantiviruspro[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@qnsr[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@adopt.specificclick[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@dcsr09g6g100004rfl99xdkrt_4d7t[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@adrevolver[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@image.masterstats[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@www.amaena[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@winantivirus[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@count3.exitexchange[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@revsci[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@reduxads.valuead[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@findwhat[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@atwola[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@clicks.emarketmakers[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@data3.perf.overture[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@atdmt[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@kanoodle[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@go.winantivirus[3].txt
C:\Documents and Settings\Anthony\Cookies\anthony@stats1.reliablestats[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@indiads[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@count.exitexchange[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@www.drivecleaner[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@superstats[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@ad.yieldmanager[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@www.clickbank[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@media.fastclick[2].txt
C:\Documents and Settings\Anthony\Cookies\anthony@www.googleadservices[1].txt
C:\Documents and Settings\Anthony\Cookies\anthony@media[1].txt
C:\Documents and Settings\Guest\Cookies\guest@adopt.specificclick[2].txt
C:\Documents and Settings\Guest\Cookies\guest@atwola[1].txt
C:\Documents and Settings\Guest\Cookies\guest@icc.intellisrv[2].txt
C:\Documents and Settings\Guest\Cookies\guest@qnsr[1].txt
C:\WINDOWS\system32\config\systemprofile\Cookies\system@log1.clickstream.co[1].txt

Trojan.SmartFinder
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}
HKCR\CLSID\{55E45715-27B3-13CA-5DEF-A4B59535A970}\Data
HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}
HKCR\CLSID\{D9B1A07C-B299-9C0B-2BFB-464B1C89B938}\Data
HKCR\CLSID\{5C2CADF9-FD40-CA02-757E-8C7E5C5C1763}
HKCR\CLSID\{5C2CADF9-FD40-CA02-757E-8C7E5C5C1763}\Data
HKCR\CLSID\{AC733B08-CF49-1E8C-1F30-A1C7FF53A035}
HKCR\CLSID\{AC733B08-CF49-1E8C-1F30-A1C7FF53A035}\Data
C:\WINDOWS\system32\sdkok32.exe
C:\WINDOWS\sysvb.exe
C:\WINDOWS\mfcbh.exe

Adware.ClickSpring/Outer Info Network
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#HelpLink
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#InstallLocation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoModify
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#NoRepair
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayVersion
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo#DisplayIcon
C:\Documents and Settings\Anthony\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Anthony\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Documents and Settings\Anthony\Start Menu\Programs\Outerinfo

Trojan.Downloader-Gen/HardFall
C:\DOCUMENTS AND SETTINGS\ANTHONY\DESKTOP\BACKUPS\BACKUP-20070425-204444-553.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DDCYX.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MLJJJ.DLL.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VTSTS.DLL.VIR

Browser Hijacker.Favorites
C:\DOCUMENTS AND SETTINGS\ANTHONY\DESKTOP\CLICK TO FIND AND FIX ERRORS.URL

Adware.ClickSpring/Yazzle
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1281OINUNINSTALLER.EXE.VIR

Trojan.AgentBi/Win
C:\WINDOWS\APIAJ32.EXE
C:\WINDOWS\SYSTEM32\APIAJ32.EXE

Uncategorized.UnknownOrigin
C:\WINDOWS\APPIW32.EXE
C:\WINDOWS\MSOO.EXE
C:\WINDOWS\MSXO.EXE
C:\WINDOWS\SYSTEM32\D3LO.EXE
C:\WINDOWS\SYSTEM32\MSOO.EXE
C:\WINDOWS\SYSTEM32\MSXO.EXE

Trojan.CRSS32/Win
C:\WINDOWS\CRSS32.EXE
C:\WINDOWS\SYSTEM32\CRSS32.EXE

Trojan.IEFY32
C:\WINDOWS\IEFY32.EXE
C:\WINDOWS\SYSTEM32\IEFY32.EXE

Trojan.Downloader-Gen/Win
C:\WINDOWS\IEVA.EXE
C:\WINDOWS\NTAR.EXE
C:\WINDOWS\SYSTEM32\IEVA.EXE
C:\WINDOWS\SYSVX.EXE

Trojan.SmitFraud Variant
C:\WINDOWS\MFCDG.EXE

n-CASE (SongSpy)
C:\WINDOWS\MSBB.EXE
C:\WINDOWS\SYSTEM32\MSBB.EXE

Trojan.SdBot-MSLX/32
C:\WINDOWS\MSLX32.EXE

Unclassified.Unknown Origin/System
C:\WINDOWS\SYSTEM32\ADDAN.EXE
C:\WINDOWS\SYSTEM32\ADDBF32.EXE
C:\WINDOWS\SYSTEM32\ADDCI32.EXE
C:\WINDOWS\SYSTEM32\ADDCN.EXE
C:\WINDOWS\SYSTEM32\ADDHD.EXE
C:\WINDOWS\SYSTEM32\ADDHV32.EXE
C:\WINDOWS\SYSTEM32\ADDIP.EXE
C:\WINDOWS\SYSTEM32\ADDIP32.EXE
C:\WINDOWS\SYSTEM32\ADDJB.EXE
C:\WINDOWS\SYSTEM32\ADDLE32.EXE
C:\WINDOWS\SYSTEM32\ADDLQ32.EXE
C:\WINDOWS\SYSTEM32\ADDMB32.EXE
C:\WINDOWS\SYSTEM32\ADDNW.EXE
C:\WINDOWS\SYSTEM32\ADDOR32.EXE
C:\WINDOWS\SYSTEM32\ADDQA32.EXE
C:\WINDOWS\SYSTEM32\ADDRV.EXE
C:\WINDOWS\SYSTEM32\ADDSK32.EXE
C:\WINDOWS\SYSTEM32\ADDSM.EXE
C:\WINDOWS\SYSTEM32\ADDTC32.EXE
C:\WINDOWS\SYSTEM32\ADDWV.EXE
C:\WINDOWS\SYSTEM32\ADDXD32.EXE
C:\WINDOWS\SYSTEM32\APIAN32.EXE
C:\WINDOWS\SYSTEM32\APICG.EXE
C:\WINDOWS\SYSTEM32\APIDG.EXE
C:\WINDOWS\SYSTEM32\APIHO.EXE
C:\WINDOWS\SYSTEM32\APIKE32.EXE
C:\WINDOWS\SYSTEM32\APIKQ32.EXE
C:\WINDOWS\SYSTEM32\APIKW.EXE
C:\WINDOWS\SYSTEM32\APIMT32.EXE
C:\WINDOWS\SYSTEM32\APINM32.EXE
C:\WINDOWS\SYSTEM32\APITC.EXE
C:\WINDOWS\SYSTEM32\APITU.EXE
C:\WINDOWS\SYSTEM32\APIUD32.EXE
C:\WINDOWS\SYSTEM32\APIUM32.EXE
C:\WINDOWS\SYSTEM32\APIUR.EXE
C:\WINDOWS\SYSTEM32\APIUW.EXE
C:\WINDOWS\SYSTEM32\APIVC32.EXE
C:\WINDOWS\SYSTEM32\APIVV.EXE
C:\WINDOWS\SYSTEM32\APIWB.EXE
C:\WINDOWS\SYSTEM32\APPDD.EXE
C:\WINDOWS\SYSTEM32\APPDK32.EXE
C:\WINDOWS\SYSTEM32\APPDN32.EXE
C:\WINDOWS\SYSTEM32\APPFI.EXE
C:\WINDOWS\SYSTEM32\APPHA32.EXE
C:\WINDOWS\SYSTEM32\APPIP.EXE
C:\WINDOWS\SYSTEM32\APPJU.EXE
C:\WINDOWS\SYSTEM32\APPJZ32.EXE
C:\WINDOWS\SYSTEM32\APPLJ32.EXE
C:\WINDOWS\SYSTEM32\APPLN32.EXE
C:\WINDOWS\SYSTEM32\APPNE.EXE
C:\WINDOWS\SYSTEM32\APPOV32.EXE
C:\WINDOWS\SYSTEM32\APPSD32.EXE
C:\WINDOWS\SYSTEM32\APPTM32.EXE
C:\WINDOWS\SYSTEM32\APPUF.EXE
C:\WINDOWS\SYSTEM32\APPWO.EXE
C:\WINDOWS\SYSTEM32\APPZX.EXE
C:\WINDOWS\SYSTEM32\ATLBA32.EXE
C:\WINDOWS\SYSTEM32\ATLBK32.EXE
C:\WINDOWS\SYSTEM32\ATLCS32.EXE
C:\WINDOWS\SYSTEM32\ATLEB.EXE
C:\WINDOWS\SYSTEM32\ATLEM.EXE
C:\WINDOWS\SYSTEM32\ATLES.EXE
C:\WINDOWS\SYSTEM32\ATLFW32.EXE
C:\WINDOWS\SYSTEM32\ATLIO.EXE
C:\WINDOWS\SYSTEM32\ATLIP32.EXE
C:\WINDOWS\SYSTEM32\ATLKM.EXE
C:\WINDOWS\SYSTEM32\ATLNM32.EXE
C:\WINDOWS\SYSTEM32\ATLNS.EXE
C:\WINDOWS\SYSTEM32\ATLOW32.EXE
C:\WINDOWS\SYSTEM32\ATLRE32.EXE
C:\WINDOWS\SYSTEM32\ATLRH.EXE
C:\WINDOWS\SYSTEM32\ATLSL.EXE
C:\WINDOWS\SYSTEM32\ATLSO32.EXE
C:\WINDOWS\SYSTEM32\ATLSY.EXE
C:\WINDOWS\SYSTEM32\ATLTE.EXE
C:\WINDOWS\SYSTEM32\ATLUW32.EXE
C:\WINDOWS\SYSTEM32\ATLXI.EXE
C:\WINDOWS\SYSTEM32\ATLZG.EXE
C:\WINDOWS\SYSTEM32\AWVTR.DLL
C:\WINDOWS\SYSTEM32\CRAI.EXE
C:\WINDOWS\SYSTEM32\CRBY.EXE
C:\WINDOWS\SYSTEM32\CRFF.EXE
C:\WINDOWS\SYSTEM32\CRFQ32.EXE
C:\WINDOWS\SYSTEM32\CRHF32.EXE
C:\WINDOWS\SYSTEM32\CRHW.EXE
C:\WINDOWS\SYSTEM32\CRIT.EXE
C:\WINDOWS\SYSTEM32\CRJG32.EXE
C:\WINDOWS\SYSTEM32\CRKH.EXE
C:\WINDOWS\SYSTEM32\CRLQ32.EXE
C:\WINDOWS\SYSTEM32\CRLV.EXE
C:\WINDOWS\SYSTEM32\CRMY.EXE
C:\WINDOWS\SYSTEM32\CRNG32.EXE
C:\WINDOWS\SYSTEM32\CROG.EXE
C:\WINDOWS\SYSTEM32\CRPA.EXE
C:\WINDOWS\SYSTEM32\CRPK32.EXE
C:\WINDOWS\SYSTEM32\CRPV.EXE
C:\WINDOWS\SYSTEM32\CRQK.EXE
C:\WINDOWS\SYSTEM32\CRRC32.EXE
C:\WINDOWS\SYSTEM32\CRRH.EXE
C:\WINDOWS\SYSTEM32\CRSN32.EXE
C:\WINDOWS\SYSTEM32\CRUS32.EXE
C:\WINDOWS\SYSTEM32\CRVW32.EXE
C:\WINDOWS\SYSTEM32\CRWH32.EXE
C:\WINDOWS\SYSTEM32\CRXC.EXE
C:\WINDOWS\SYSTEM32\CRYH.EXE
C:\WINDOWS\SYSTEM32\CRYY32.EXE
C:\WINDOWS\SYSTEM32\CRYZ32.EXE
C:\WINDOWS\SYSTEM32\CRZH32.EXE
C:\WINDOWS\SYSTEM32\D3AN32.EXE
C:\WINDOWS\SYSTEM32\D3CI.EXE
C:\WINDOWS\SYSTEM32\D3CP.EXE
C:\WINDOWS\SYSTEM32\D3EA.EXE
C:\WINDOWS\SYSTEM32\D3GC.EXE
C:\WINDOWS\SYSTEM32\D3GQ32.EXE
C:\WINDOWS\SYSTEM32\D3HC32.EXE
C:\WINDOWS\SYSTEM32\D3IB.EXE
C:\WINDOWS\SYSTEM32\D3IJ32.EXE
C:\WINDOWS\SYSTEM32\D3JJ32.EXE
C:\WINDOWS\SYSTEM32\D3KX32.EXE
C:\WINDOWS\SYSTEM32\D3LA32.EXE
C:\WINDOWS\SYSTEM32\D3LF32.EXE
C:\WINDOWS\SYSTEM32\D3LK.EXE
C:\WINDOWS\SYSTEM32\D3LN32.EXE
C:\WINDOWS\SYSTEM32\D3ML32.EXE
C:\WINDOWS\SYSTEM32\D3NA.EXE
C:\WINDOWS\SYSTEM32\D3NJ.EXE
C:\WINDOWS\SYSTEM32\D3OL.EXE
C:\WINDOWS\SYSTEM32\D3OO.EXE
C:\WINDOWS\SYSTEM32\D3OP32.EXE
C:\WINDOWS\SYSTEM32\D3QD32.EXE
C:\WINDOWS\SYSTEM32\D3QW.EXE
C:\WINDOWS\SYSTEM32\D3UE32.EXE
C:\WINDOWS\SYSTEM32\D3UG32.EXE
C:\WINDOWS\SYSTEM32\D3US.EXE
C:\WINDOWS\SYSTEM32\D3VM.EXE
C:\WINDOWS\SYSTEM32\D3WT32.EXE
C:\WINDOWS\SYSTEM32\D3XG32.EXE
C:\WINDOWS\SYSTEM32\D3XZ.EXE
C:\WINDOWS\SYSTEM32\D3YJ32.EXE
C:\WINDOWS\SYSTEM32\D3YO.EXE
C:\WINDOWS\SYSTEM32\D3ZU32.EXE
C:\WINDOWS\SYSTEM32\IEBO32.EXE
C:\WINDOWS\SYSTEM32\IECJ.EXE
C:\WINDOWS\SYSTEM32\IEDL.EXE
C:\WINDOWS\SYSTEM32\IEDM.EXE
C:\WINDOWS\SYSTEM32\IEEL32.EXE
C:\WINDOWS\SYSTEM32\IEHY32.EXE
C:\WINDOWS\SYSTEM32\IEIV32.EXE
C:\WINDOWS\SYSTEM32\IEJI32.EXE
C:\WINDOWS\SYSTEM32\IELA.EXE
C:\WINDOWS\SYSTEM32\IENK32.EXE
C:\WINDOWS\SYSTEM32\IEPX.EXE
C:\WINDOWS\SYSTEM32\IERD32.EXE
C:\WINDOWS\SYSTEM32\IERY32.EXE
C:\WINDOWS\SYSTEM32\IERZ32.EXE
C:\WINDOWS\SYSTEM32\IESG.EXE
C:\WINDOWS\SYSTEM32\IESH32.EXE
C:\WINDOWS\SYSTEM32\IESI.EXE
C:\WINDOWS\SYSTEM32\IESK.EXE
C:\WINDOWS\SYSTEM32\IETL.EXE
C:\WINDOWS\SYSTEM32\IEVV32.EXE
C:\WINDOWS\SYSTEM32\IEVY.EXE
C:\WINDOWS\SYSTEM32\IEWH.EXE
C:\WINDOWS\SYSTEM32\IEWV32.EXE
C:\WINDOWS\SYSTEM32\IEXM.EXE
C:\WINDOWS\SYSTEM32\IEXR32.EXE
C:\WINDOWS\SYSTEM32\IEXZ32.EXE
C:\WINDOWS\SYSTEM32\IEYQ32.EXE
C:\WINDOWS\SYSTEM32\IEYT.EXE
C:\WINDOWS\SYSTEM32\IEZH32.EXE
C:\WINDOWS\SYSTEM32\IPAO32.EXE
C:\WINDOWS\SYSTEM32\IPDM32.EXE
C:\WINDOWS\SYSTEM32\IPDQ32.EXE
C:\WINDOWS\SYSTEM32\IPHH.EXE
C:\WINDOWS\SYSTEM32\IPIW32.EXE
C:\WINDOWS\SYSTEM32\IPJX32.EXE
C:\WINDOWS\SYSTEM32\IPLT32.EXE
C:\WINDOWS\SYSTEM32\IPMA.EXE
C:\WINDOWS\SYSTEM32\IPMP.EXE
C:\WINDOWS\SYSTEM32\IPNV32.EXE
C:\WINDOWS\SYSTEM32\IPOV32.EXE
C:\WINDOWS\SYSTEM32\IPQH.EXE
C:\WINDOWS\SYSTEM32\IPRP32.EXE
C:\WINDOWS\SYSTEM32\IPSV.EXE
C:\WINDOWS\SYSTEM32\IPUQ32.EXE
C:\WINDOWS\SYSTEM32\IPUS32.EXE
C:\WINDOWS\SYSTEM32\IPWA32.EXE
C:\WINDOWS\SYSTEM32\IPXE32.EXE
C:\WINDOWS\SYSTEM32\IPXO.EXE
C:\WINDOWS\SYSTEM32\IPZN32.EXE
C:\WINDOWS\SYSTEM32\JAVACF.EXE
C:\WINDOWS\SYSTEM32\JAVACG32.EXE
C:\WINDOWS\SYSTEM32\JAVACT.EXE
C:\WINDOWS\SYSTEM32\JAVADE.EXE
C:\WINDOWS\SYSTEM32\JAVAEQ32.EXE
C:\WINDOWS\SYSTEM32\JAVAEX.EXE
C:\WINDOWS\SYSTEM32\JAVAGQ32.EXE
C:\WINDOWS\SYSTEM32\JAVAIR32.EXE
C:\WINDOWS\SYSTEM32\JAVAIU.EXE
C:\WINDOWS\SYSTEM32\JAVAJH32.EXE
C:\WINDOWS\SYSTEM32\JAVAOW32.EXE
C:\WINDOWS\SYSTEM32\JAVAPA32.EXE
C:\WINDOWS\SYSTEM32\JAVAPB.EXE
C:\WINDOWS\SYSTEM32\JAVAQK32.EXE
C:\WINDOWS\SYSTEM32\JAVASG.EXE
C:\WINDOWS\SYSTEM32\JAVATB32.EXE
C:\WINDOWS\SYSTEM32\JAVAUT.EXE
C:\WINDOWS\SYSTEM32\JAVAVX.EXE
C:\WINDOWS\SYSTEM32\JAVAYN32.EXE
C:\WINDOWS\SYSTEM32\JAVAZV.EXE
C:\WINDOWS\SYSTEM32\MFCAQ32.EXE
C:\WINDOWS\SYSTEM32\MFCBD.EXE
C:\WINDOWS\SYSTEM32\MFCBX32.EXE
C:\WINDOWS\SYSTEM32\MFCEA32.EXE
C:\WINDOWS\SYSTEM32\MFCFI32.EXE
C:\WINDOWS\SYSTEM32\MFCHK32.EXE
C:\WINDOWS\SYSTEM32\MFCHZ.EXE
C:\WINDOWS\SYSTEM32\MFCIM32.EXE
C:\WINDOWS\SYSTEM32\MFCME32.EXE
C:\WINDOWS\SYSTEM32\MFCMF.EXE
C:\WINDOWS\SYSTEM32\MFCML.EXE
C:\WINDOWS\SYSTEM32\MFCNY32.EXE
C:\WINDOWS\SYSTEM32\MFCOE.EXE
C:\WINDOWS\SYSTEM32\MFCPY32.EXE
C:\WINDOWS\SYSTEM32\MFCRM.EXE
C:\WINDOWS\SYSTEM32\MFCRW32.EXE
C:\WINDOWS\SYSTEM32\MFCRZ.EXE
C:\WINDOWS\SYSTEM32\MFCUB32.EXE
C:\WINDOWS\SYSTEM32\MFCUG.EXE
C:\WINDOWS\SYSTEM32\MFCVZ.EXE
C:\WINDOWS\SYSTEM32\MLJGF.DLL
C:\WINDOWS\SYSTEM32\MSBY32.EXE
C:\WINDOWS\SYSTEM32\MSEC32.EXE
C:\WINDOWS\SYSTEM32\MSFN32.EXE
C:\WINDOWS\SYSTEM32\MSGH.EXE
C:\WINDOWS\SYSTEM32\MSGS32.EXE
C:\WINDOWS\SYSTEM32\MSHA.EXE
C:\WINDOWS\SYSTEM32\MSHY32.EXE
C:\WINDOWS\SYSTEM32\MSHZ.EXE
C:\WINDOWS\SYSTEM32\MSIO32.EXE
C:\WINDOWS\SYSTEM32\MSMM32.EXE
C:\WINDOWS\SYSTEM32\MSNF32.EXE
C:\WINDOWS\SYSTEM32\MSNK32.EXE
C:\WINDOWS\SYSTEM32\MSNQ32.EXE
C:\WINDOWS\SYSTEM32\MSPN32.EXE
C:\WINDOWS\SYSTEM32\MSPX.EXE
C:\WINDOWS\SYSTEM32\MSQJ32.EXE
C:\WINDOWS\SYSTEM32\MSQU.EXE
C:\WINDOWS\SYSTEM32\MSRE.EXE
C:\WINDOWS\SYSTEM32\MSRM.EXE
C:\WINDOWS\SYSTEM32\MSRZ32.EXE
C:\WINDOWS\SYSTEM32\MSSW32.EXE
C:\WINDOWS\SYSTEM32\MSTH32.EXE
C:\WINDOWS\SYSTEM32\MSTR32.EXE
C:\WINDOWS\SYSTEM32\MSUT.EXE
C:\WINDOWS\SYSTEM32\MSVN32.EXE
C:\WINDOWS\SYSTEM32\MSVQ32.EXE
C:\WINDOWS\SYSTEM32\MSWS32.EXE
C:\WINDOWS\SYSTEM32\MSWZ.EXE
C:\WINDOWS\SYSTEM32\MSZA32.EXE
C:\WINDOWS\SYSTEM32\NETBG.EXE
C:\WINDOWS\SYSTEM32\NETBM32.EXE
C:\WINDOWS\SYSTEM32\NETBW.EXE
C:\WINDOWS\SYSTEM32\NETCC32.EXE
C:\WINDOWS\SYSTEM32\NETCI32.EXE
C:\WINDOWS\SYSTEM32\NETCJ32.EXE
C:\WINDOWS\SYSTEM32\NETCR.EXE
C:\WINDOWS\SYSTEM32\NETCZ32.EXE
C:\WINDOWS\SYSTEM32\NETEG.EXE
C:\WINDOWS\SYSTEM32\NETFG32.EXE
C:\WINDOWS\SYSTEM32\NETFN.EXE
C:\WINDOWS\SYSTEM32\NETIB32.EXE
C:\WINDOWS\SYSTEM32\NETIG32.EXE
C:\WINDOWS\SYSTEM32\NETIZ.EXE
C:\WINDOWS\SYSTEM32\NETJQ32.EXE
C:\WINDOWS\SYSTEM32\NETKK32.EXE
C:\WINDOWS\SYSTEM32\NETKP.EXE
C:\WINDOWS\SYSTEM32\NETLU32.EXE
C:\WINDOWS\SYSTEM32\NETLV32.EXE
C:\WINDOWS\SYSTEM32\NETLY32.EXE
C:\WINDOWS\SYSTEM32\NETMM.EXE
C:\WINDOWS\SYSTEM32\NETMR.EXE
C:\WINDOWS\SYSTEM32\NETOA.EXE
C:\WINDOWS\SYSTEM32\NETOS32.EXE
C:\WINDOWS\SYSTEM32\NETUC32.EXE
C:\WINDOWS\SYSTEM32\NETWJ.EXE
C:\WINDOWS\SYSTEM32\NETWW32.EXE
C:\WINDOWS\SYSTEM32\NETXX32.EXE
C:\WINDOWS\SYSTEM32\NETYM32.EXE
C:\WINDOWS\SYSTEM32\NETYW32.EXE
C:\WINDOWS\SYSTEM32\NETYX.EXE
C:\WINDOWS\SYSTEM32\NETZT32.EXE
C:\WINDOWS\SYSTEM32\NETZW.EXE
C:\WINDOWS\SYSTEM32\NTAJ.EXE
C:\WINDOWS\SYSTEM32\NTAM.EXE
C:\WINDOWS\SYSTEM32\NTAO.EXE
C:\WINDOWS\SYSTEM32\NTBP32.EXE
C:\WINDOWS\SYSTEM32\NTCD32.EXE
C:\WINDOWS\SYSTEM32\NTDK32.EXE
C:\WINDOWS\SYSTEM32\NTDQ32.EXE
C:\WINDOWS\SYSTEM32\NTDR32.EXE
C:\WINDOWS\SYSTEM32\NTDT32.EXE
C:\WINDOWS\SYSTEM32\NTGA.EXE
C:\WINDOWS\SYSTEM32\NTGI.EXE
C:\WINDOWS\SYSTEM32\NTGN.EXE
C:\WINDOWS\SYSTEM32\NTHQ32.EXE
C:\WINDOWS\SYSTEM32\NTJI32.EXE
C:\WINDOWS\SYSTEM32\NTKL32.EXE
C:\WINDOWS\SYSTEM32\NTNC32.EXE
C:\WINDOWS\SYSTEM32\NTOI.EXE
C:\WINDOWS\SYSTEM32\NTPB32.EXE
C:\WINDOWS\SYSTEM32\NTRJ.EXE
C:\WINDOWS\SYSTEM32\NTSV.EXE
C:\WINDOWS\SYSTEM32\NTTV32.EXE
C:\WINDOWS\SYSTEM32\NTUC32.EXE
C:\WINDOWS\SYSTEM32\NTUK32.EXE
C:\WINDOWS\SYSTEM32\NTVL.EXE
C:\WINDOWS\SYSTEM32\NTVP32.EXE
C:\WINDOWS\SYSTEM32\NTXD32.EXE
C:\WINDOWS\SYSTEM32\SDKAS32.EXE
C:\WINDOWS\SYSTEM32\SDKBC32.EXE
C:\WINDOWS\SYSTEM32\SDKBO.EXE
C:\WINDOWS\SYSTEM32\SDKDB32.EXE
C:\WINDOWS\SYSTEM32\SDKDX.EXE
C:\WINDOWS\SYSTEM32\SDKFN32.EXE
C:\WINDOWS\SYSTEM32\SDKGQ32.EXE
C:\WINDOWS\SYSTEM32\SDKKB32.EXE
C:\WINDOWS\SYSTEM32\SDKKQ.EXE
C:\WINDOWS\SYSTEM32\SDKLB32.EXE
C:\WINDOWS\SYSTEM32\SDKMN32.EXE
C:\WINDOWS\SYSTEM32\SDKMV.EXE
C:\WINDOWS\SYSTEM32\SDKPL32.EXE
C:\WINDOWS\SYSTEM32\SDKQP.EXE
C:\WINDOWS\SYSTEM32\SDKRT.EXE
C:\WINDOWS\SYSTEM32\SDKSR.EXE
C:\WINDOWS\SYSTEM32\SDKTE32.EXE
C:\WINDOWS\SYSTEM32\SDKUN.EXE
C:\WINDOWS\SYSTEM32\SDKUU32.EXE
C:\WINDOWS\SYSTEM32\SDKWE32.EXE
C:\WINDOWS\SYSTEM32\SDKYK32.EXE
C:\WINDOWS\SYSTEM32\SDKZA32.EXE
C:\WINDOWS\SYSTEM32\SDKZG32.EXE
C:\WINDOWS\SYSTEM32\SYSBI32.EXE
C:\WINDOWS\SYSTEM32\SYSBN32.EXE
C:\WINDOWS\SYSTEM32\SYSCG.EXE
C:\WINDOWS\SYSTEM32\SYSDA32.EXE
C:\WINDOWS\SYSTEM32\SYSDF.EXE
C:\WINDOWS\SYSTEM32\SYSGY.EXE
C:\WINDOWS\SYSTEM32\SYSHN32.EXE
C:\WINDOWS\SYSTEM32\SYSHU.EXE
C:\WINDOWS\SYSTEM32\SYSHV.EXE
C:\WINDOWS\SYSTEM32\SYSJD.EXE
C:\WINDOWS\SYSTEM32\SYSJJ32.EXE
C:\WINDOWS\SYSTEM32\SYSLB32.EXE
C:\WINDOWS\SYSTEM32\SYSMQ32.EXE
C:\WINDOWS\SYSTEM32\SYSMZ32.EXE
C:\WINDOWS\SYSTEM32\SYSNW.EXE
C:\WINDOWS\SYSTEM32\SYSNY32.EXE
C:\WINDOWS\SYSTEM32\SYSOV.EXE
C:\WINDOWS\SYSTEM32\SYSTH32.EXE
C:\WINDOWS\SYSTEM32\SYSUD32.EXE
C:\WINDOWS\SYSTEM32\SYSUN32.EXE
C:\WINDOWS\SYSTEM32\SYSUP.EXE
C:\WINDOWS\SYSTEM32\SYSVC32.EXE
C:\WINDOWS\SYSTEM32\SYSWV.EXE
C:\WINDOWS\SYSTEM32\SYSXO32.EXE
C:\WINDOWS\SYSTEM32\WINAD32.EXE
C:\WINDOWS\SYSTEM32\WINAL.EXE
C:\WINDOWS\SYSTEM32\WINBH32.EXE
C:\WINDOWS\SYSTEM32\WINBO32.EXE
C:\WINDOWS\SYSTEM32\WINDT32.EXE
C:\WINDOWS\SYSTEM32\WINET32.EXE
C:\WINDOWS\SYSTEM32\WINHO.EXE
C:\WINDOWS\SYSTEM32\WINIO32.EXE
C:\WINDOWS\SYSTEM32\WINLA.EXE
C:\WINDOWS\SYSTEM32\WINLN32.EXE
C:\WINDOWS\SYSTEM32\WINMR32.EXE
C:\WINDOWS\SYSTEM32\WINOQ32.EXE
C:\WINDOWS\SYSTEM32\WINPH32.EXE
C:\WINDOWS\SYSTEM32\WINQB.EXE
C:\WINDOWS\SYSTEM32\WINQD.EXE
C:\WINDOWS\SYSTEM32\WINRC32.EXE
C:\WINDOWS\SYSTEM32\WINRR.EXE
C:\WINDOWS\SYSTEM32\WINRT.EXE
C:\WINDOWS\SYSTEM32\WINSJ.EXE
C:\WINDOWS\SYSTEM32\WINYH32.EXE
C:\WINDOWS\SYSTEM32\WINYW32.EXE

Trojan.Downloader/Variant
C:\WINDOWS\SYSTEM32\ATLIC32.EXE
C:\WINDOWS\SYSTEM32\CRGO32.EXE
C:\WINDOWS\SYSTEM32\D3ZN32.EXE
C:\WINDOWS\SYSTEM32\NTFR.EXE

Parasite.Unknown Origin
C:\WINDOWS\SYSTEM32\CRSS.EXE

Trojan.Downloader-Gen
C:\WINDOWS\SYSTEM32\D3NY32.EXE
C:\WINDOWS\SYSTEM32\IPNT32.EXE
C:\WINDOWS\SYSTEM32\JAVALU32.EXE
C:\WINDOWS\SYSTEM32\SYSCM.EXE
C:\WINDOWS\SYSTEM32\SYSZW32.EXE

Trojan.IEBX
C:\WINDOWS\SYSTEM32\IEBX.EXE

Worm.Rbot Variant
C:\WINDOWS\SYSTEM32\IEKM32.EXE
C:\WINDOWS\SYSTEM32\IPAO.EXE
C:\WINDOWS\SYSTEM32\MSBD32.EXE

Unclassifled.JAVAKW32
C:\WINDOWS\SYSTEM32\JAVAKW32.EXE

Trojan.JAVAMS32
C:\WINDOWS\SYSTEM32\JAVAMS32.EXE

Trojan.MFCVO32
C:\WINDOWS\SYSTEM32\MFCVO32.EXE

Worm.RBot-APT
C:\WINDOWS\SYSTEM32\MSED32.EXE

Trojan.MSEX
C:\WINDOWS\SYSTEM32\MSEX.EXE

Keylogger.IAMBigBrother
C:\WINDOWS\SYSTEM32\MSNI.EXE

Worm.MSVC32
C:\WINDOWS\SYSTEM32\MSVC32.EXE

Unclassified.MSWY
C:\WINDOWS\SYSTEM32\MSWY.EXE

Unclassified.NETTB32
C:\WINDOWS\SYSTEM32\NETTB32.EXE

Worm.NTSF
C:\WINDOWS\SYSTEM32\NTSF.EXE

Trojan.SYSME
C:\WINDOWS\SYSTEM32\SYSME.EXE

Adware.WinAd Client
C:\WINDOWS\SYSTEM32\WINAD.EXE

Rbot-VD Worm Component
C:\WINDOWS\SYSTEM32\WINIS.EXE

Trojan.RBot(Variant)
C:\WINDOWS\SYSTEM32\WINPE.EXE

WINSA32.EXE
C:\WINDOWS\SYSTEM32\WINSA32.EXE

Trojan.RBot/Variant
C:\WINDOWS\SYSTEM32\WINSI32.EXE

Unclassified.WINWT32
C:\WINDOWS\SYSTEM32\WINWT32.EXE
C:\WINDOWS\WINWT32.EXE

Trojan.WinDK
C:\WINDOWS\WINDK.EXE

Adware.eZula
C:\WINDOWS\WOINSTALL.EXE

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:48 AM

Posted 27 April 2007 - 08:55 AM

Please run HijackThis once again, and post a new log.

On your question, I use SuperAntiSpyware, AVG Anti-Spyware, AdAware, and Spybot Search and Destroy.
Every week I use one or two of the above.

Anti-Spyware programs, as well as Anti-Virus programs, have malwre definitions that are not all identical. So, one catches one thing, another may catch something different, etc.

Old duck...


#7 avandelay

avandelay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 27 April 2007 - 10:15 PM

Here it is.... The ads are gone, but the computer is still running slower than normal and is crashing/shutting down for no reason...

Logfile of HijackThis v1.99.1
Scan saved at 7:57:27 PM, on 4/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
F:\sugar\SugarCRM\oss\mysql\bin\mysqld-opt.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WebDrive\wdService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\StickyNote\StickyNote.exe
C:\DOCUME~1\Anthony\LOCALS~1\Temp\SSUPDATE.EXE
C:\Documents and Settings\Anthony\Desktop\youknow\youknow.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145995670218
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Apache2 - Unknown owner - F:\sugar\SugarCRM\oss\httpd\bin\Apache.exe" -k runservice (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: MySQL - Unknown owner - F:\sugar\SugarCRM\oss\mysql\bin\mysqld-opt.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:48 AM

Posted 28 April 2007 - 07:42 PM

Please go to Start > Run, and copy/paste or type the following commands, one at a time, and press OK after each.

sc stop HackerDefender100
sc delete HackerDefender100


~~~~
Run HijackThis, Scan
Check box for:

O23 - Service: Windows System Uninstaller (HackerDefender100) - Unknown owner - C:\WINDOWS\winunins.exe (file missing)

Select: Fix checked

~~~~
Restart the computer.

~~~~
Please download GMER to the Desktop:
http://www.majorgeeks.com/GMER_d5198.html
Right click the zipped file and select: Extract all
Follow the Extracton Wizard prompts

Start the program by double clicking: GMER.exe
If a security warning appears, allow the program to run
If GMER detects rootkit activity, you are prompted to scan immediately
Click Yes to begin the scan

If you are not prompted to Scan:
In the Rootkit tab, make sure all the boxes on the right are checked, except for "Show All"
Click the Scan button.

Once the scan is done, click: Copy, and provide the GMER results in your reply.

~~~~
Run HijackThis once again, and Scan.

~~~~
Please provide the GMER results and a new HijackThis log in your reply.

Old duck...


#9 avandelay

avandelay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 29 April 2007 - 08:12 PM

Hey Aflac,

Thanks for the info... I did everything you said, but I am having an issue with GMER. I execute the application. It doesn't prompt me to scan, so I start it manually. It immediatly shows the following item found...

c:\WINDOWS\System32\DRIVERS\update.sys

and then the computer just crashes and restarts. It happens at the same time into the scan everytime, so I tried running it in safe mode. It doesn't crash when i run it in safe mode, and it finds only the above file.

The computer is still crashing (displays black screen and restarts), but less frequently (twice a day). Below is the latest HiJackThis log. Thanks for your help....

Logfile of HijackThis v1.99.1
Scan saved at 6:02:54 PM, on 4/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5346.0005)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\Program Files\WebDrive\wdService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\StickyNote\StickyNote.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Anthony\Desktop\youknow\youknow.exe

R1 - HKLM\Software\Microsoft\Internet Explorer,SearchURL = http://
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O3 - Toolbar: TextAloud - {F053C368-5458-45B2-9B4D-D8914BDDDBFF} - C:\PROGRA~1\TEXTAL~1\TAForIE.dll
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 2006\pccguide.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: StickyNote.lnk = C:\Program Files\StickyNote\StickyNote.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Send To &Bluetooth - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: ATI TV - {44226DFF-747E-4edc-B30C-78752E50CD0C} - C:\Program Files\ATI Multimedia\TV\EXPLBAR.DLL
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-4017 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {22E5D91F-89E6-4405-AD9C-0AF27BA6F06B} (HidInputMonitorX Control) - file://E:\components\hidinputmonitorx.ocx
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.av.aol.com/molbin/shared/m...83/mcinsctl.cab
O16 - DPF: {4F63D44B-6274-4D60-8AB1-CAA7116B8AF3} (A9Helper.A9) - file://E:\components\A9.ocx
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145995670218
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.napster.com/client/isetup.cab
O16 - DPF: {9E17A5F9-2B9C-4C66-A592-199A4BA1FBC8} (AIM UPF Control) - http://pictures05.aim.com/ygp/aol/plugin/u...AIM.9.5.1.8.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.av.aol.com/molbin/shared/m...,20/mcgdmgr.cab
O18 - Protocol: g7ps - {9EACF0FB-4FC7-436E-989B-3197142AD979} - C:\Program Files\Common Files\G7PS\Shared Files\G7PSDLL\G7PS.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WebDrive Service (WebDriveService) - South River Technologies, LLC - C:\Program Files\WebDrive\wdService.exe

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:48 AM

Posted 29 April 2007 - 09:21 PM

Although it could be a symptom of a virus, unfortunately, bad drivers for any hardware on your system can also cause the machine to crash or go to a black screen without warning. :thumbsup:

~~~~
Please download RootKitRevealer (very bottom of the page):
http://www.sysinternals.com/utilities/rootkitrevealer.html
Unzip it to the Desktop

Next, open the RootKitRevealer folder
Double-click rootkitrevealer.exe to run the program
Click the Scan button (bottom right)
The scan may take a while (Please do not use the computer while this program is running. It may interfere with the results and show legitimate entries.)

When done, rootkitrevealer.txt is produced
Save rootkitrevealer.txt to the Desktop.

~~~~
Please post the contents of rootkitrevealer.txt in your reply.

Old duck...


#11 avandelay

avandelay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 30 April 2007 - 12:21 AM

The crashing started happening about a week ago. I haven't changed any hardware or software on the system in a few months. Well anyways, heres the log, thanks.......



HKLM\.DEFAULT\Control Panel\International 4/25/2007 9:53 PM 0 bytes Security mismatch.
HKLM\.DEFAULT\Control Panel\International\Geo 4/25/2007 9:53 PM 0 bytes Security mismatch.
HKLM\S-1-5-21-606747145-1284227242-682003330-1004\Control Panel\International 4/25/2007 9:53 PM 0 bytes Security mismatch.
HKLM\S-1-5-21-606747145-1284227242-682003330-1004\Control Panel\International\Geo 4/25/2007 9:53 PM 0 bytes Security mismatch.
HKLM\S-1-5-18\Control Panel\International 4/25/2007 9:53 PM 0 bytes Security mismatch.
HKLM\S-1-5-18\Control Panel\International\Geo 4/25/2007 9:53 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\DefaultIcon 4/25/2007 9:06 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\open 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\open\command 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\runas 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shell\runas\command 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\DropHandler 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers\PifProps 4/25/2007 9:05 PM 0 bytes Security mismatch.
HKLM\SOFTWARE\Classes\cfexefile\shellex\PropertySheetHandlers\ShimLayer Property Page 4/25/2007 9:05 PM 0 bytes Security mismatch.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\05D21221d01 4/29/2007 7:54 PM 51.15 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\067E68B6d01 4/29/2007 7:53 PM 93.10 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\351A5523d01 4/29/2007 7:53 PM 62.07 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\37A8D22Cd01 4/29/2007 7:55 PM 30.12 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\4086DAE2d01 4/29/2007 7:55 PM 26.60 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\503CBD7Cd01 4/29/2007 7:53 PM 80.29 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\51A55300d01 4/29/2007 7:54 PM 62.07 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\6E4A558Fd01 4/29/2007 7:55 PM 25.94 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\83AE0B52d01 4/29/2007 7:55 PM 59.34 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\917AC8AAd01 4/29/2007 7:52 PM 16.54 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\966DAC08d01 4/29/2007 7:55 PM 46.54 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\A8A6F5FFd01 4/29/2007 7:56 PM 44.05 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\B76E9C99d01 4/29/2007 7:55 PM 18.26 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\C0A50332d01 4/29/2007 7:52 PM 27.83 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\C0A50342d01 4/29/2007 7:54 PM 28.53 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\CF8C3658d01 4/29/2007 7:52 PM 53.45 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\D515C027d01 4/29/2007 7:56 PM 44.63 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\DEFE8688d01 4/29/2007 7:52 PM 16.92 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\E3F18990d01 4/29/2007 7:53 PM 90.88 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\E3F38990d01 4/29/2007 7:53 PM 92.22 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\E3F78990d01 4/29/2007 7:53 PM 90.28 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\F2F9FF89d01 4/29/2007 7:52 PM 19.43 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\F9589E15d01 4/29/2007 7:55 PM 30.12 KB Hidden from Windows API.
C:\Documents and Settings\Anthony\Local Settings\Application Data\Mozilla\Firefox\Profiles\59h7a4kg.default\Cache\F9689E17d01 4/29/2007 7:55 PM 30.12 KB Hidden from Windows API.

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:48 AM

Posted 30 April 2007 - 08:37 AM

Please download SDFix and save it to the Desktop.

Right click the SDFix.zip folder
Select: Extract All to extract it to its own folder on the Desktop.

~~~~
Start the computer in Safe Mode :
-When the machine first starts again, tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Open the SDFix folder on the Desktop, and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
The process removes any Trojan Services or Registry Entries found, and then prompts you to press any key to Reboot.

Press any key to restart the PC.
When the PC restarts the SDFix will run again and complete the removal process
It then displays Finished
Press any key to end the script and load the Desktop icons.

Once the Desktop icons load, the SDFix report opens on screen and saves itself in the SDFix folder as Report.txt.

~~~~
Also, please scan for Hidden Data Streams:

Open HijackThis
Click: Config
Click: Misc Tools
Click: Open ADS Spy
Uncheck: Quick Scan
Check: Full Scan (All NTFS drives)
Check: Ignore safe system info streams
Click: Scan the system for Alternate Data Streams
When done, click: Save Log

Please post the results of ADS Spy into your reply.

~~~~
Next, please access the Uninstall Manager in HijackThis:
Click on: Config > Misc Tools > Open Uninstall Manager

When the list shows, click on: Save List, and post it in your reply.

~~~~
Please post the contents of the SDFix Report.txt, the ADSSpy report, and the Uninstall list generated from the HijackThis program.

Old duck...


#13 avandelay

avandelay
  • Topic Starter

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:05:48 AM

Posted 30 April 2007 - 11:54 PM

Aflack,

When I ran SDFix in safe mode, it got about 25% into the file scan, then just locked up the computer. I tried it several times with the same results. Eventually, I restarted the computer and it gave me the log.... Here is everything you asked for......Thanks...



Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\StickyNote\\StickyNote.exe"="C:\\Program Files\\StickyNote\\StickyNote.exe:*:Disabled:Architecture launch vehicle"
"C:\\Program Files\\Napster\\napster.exe"="C:\\Program Files\\Napster\\napster.exe:*:Enabled:Napster"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\WINDOWS\twain.dll
C:\WINDOWS\twain_32.dll
C:\Documents and Settings\Anthony\My Documents\iexplore.exe
C:\Program Files\America Online 9.0\aolphx.exe
C:\Program Files\America Online 9.0\aoltray.exe
C:\Program Files\America Online 9.0\RBM.exe
C:\Program Files\America Online 9.0\waol.exe
C:\Program Files\Codeuber\MySpace Bot\Setup.exe
C:\Program Files\Makayama Software\Mobile Media Maker (Motorola) DEMO\Setup.exe
C:\WINDOWS\system32\regsvr32.exe
C:\redir.sys
C:\Program Files\ATI Multimedia\RemCtrl\x10prod.sys
C:\WINDOWS\page files\maxmeg.sys
C:\Documents and Settings\All Users\Application Data\GTek\GTUpdate\AUpdate\Channels\ch1\lock.tmp
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\Memorex__DVD16+_-DL4RWlD2_JWS5_310_DICV017_DRGV200021C.TMP
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\Memorex__DVD16+_-DL4RWlD2_JWS5_310_DICV018_DRGV20100BC.TMP
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\Memorex__DVD16+_-DL4RWlD2_JWS5_310_DICV018_DRGV2050102.TMP
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\Memorex__DVD16+_-DL4RWlD2_JWS5_310_DICV018_DRGV2050108.TMP
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\SAMSUNG__CD-R_RW_SW-224B__R206_300_DICV017_DRGV2000027.TMP
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\SAMSUNG__CD-R_RW_SW-224B__R206_300_DICV018_DRGV20100BC.TMP
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\SAMSUNG__CD-R_RW_SW-224B__R206_300_DICV018_DRGV2050108.TMP
C:\Documents and Settings\Anthony\Application Data\Roxio\Dragon\DiscInfoCache\SAMSUNG__DVD-ROM_SD-616F__F100_310_DICV017_DRGV2000027.TMP
C:\Program Files\InterActual\InterActual Player\itiB2.tmp

Finished




ADSPY

C:\Documents and Settings\All Users\Application Data\TEMP : 8927A071 (141 bytes)
C:\Documents and Settings\All Users\Application Data\TEMP : 8927A071 (141 bytes)
C:\WINDOWS\ActiveAct.INI : okljll (3567 bytes)
C:\WINDOWS\ActiveAct.INI : pgphbd (194418 bytes)
C:\WINDOWS\atid.ini : hzinvf (3567 bytes)
C:\WINDOWS\atid.ini : oenrdz (3567 bytes)
C:\WINDOWS\atid.ini : ylwonv (0 bytes)
C:\WINDOWS\BJCFDins.log : liddsm (3567 bytes)
C:\WINDOWS\Coffee Bean.bmp : tzstra (11736 bytes)
C:\WINDOWS\CPQM2003111.log : dzlgtk (7473 bytes)
C:\WINDOWS\CPQM2003111.log : wpwmob (0 bytes)
C:\WINDOWS\CPQM2003112.log : ibiwyp (11736 bytes)
C:\WINDOWS\CPQM200414.log : wsdmom (3567 bytes)
C:\WINDOWS\CPQM200436.log : bcactz (4870 bytes)
C:\WINDOWS\CPQM200438.log : xgrxqt (11736 bytes)
C:\WINDOWS\dahotfix.log : tcthvc (3567 bytes)
C:\WINDOWS\DtcInstall.log : hhdqng (7473 bytes)
C:\WINDOWS\FeatherTexture.bmp : aanvpr (3567 bytes)
C:\WINDOWS\KB821557.log : mevuqy (11736 bytes)
C:\WINDOWS\KB821557.log : omwfof (0 bytes)
C:\WINDOWS\KB823559.log : qgndbt (0 bytes)
C:\WINDOWS\KB824105.log : ajxmvj (13581 bytes)
C:\WINDOWS\KB824105.log : eeozsi (4870 bytes)
C:\WINDOWS\KB824105.log : gmpsip (0 bytes)
C:\WINDOWS\KB825119.log : tjprxl (197755 bytes)
C:\WINDOWS\KB826942.log : xfgemt (3567 bytes)
C:\WINDOWS\KB826942.log : znhyka (0 bytes)
C:\WINDOWS\KB828035.log : lkixrw (3567 bytes)
C:\WINDOWS\KB842773.log : pgrrov (0 bytes)
C:\WINDOWS\msgsocm.log : hdpfsq (3567 bytes)
C:\WINDOWS\Q329834.log : altwxi (11736 bytes)
C:\WINDOWS\Q810833.log : smlbzk (7473 bytes)
C:\WINDOWS\Q811493.log : wscjth (0 bytes)
C:\WINDOWS\Q814033.log : lnegtv (3567 bytes)
C:\WINDOWS\Q817606.log : doomvf (0 bytes)
C:\WINDOWS\Q828026.log : dpkppt (0 bytes)
C:\WINDOWS\SYMEVENT.LOG : xlpzfz (13581 bytes)
C:\WINDOWS\TPCKEY.DAT : pehfzj (197751 bytes)
C:\WINDOWS\tsoc.log : ifskbm (3567 bytes)
C:\WINDOWS\tsoc.log : msgdhx (7473 bytes)
C:\WINDOWS\tsoc.log : qstrlq (13581 bytes)
C:\WINDOWS\vb.ini : etribz (3567 bytes)
C:\WINDOWS\xpsp1hfm.log : axojaw (197751 bytes)
C:\WINDOWS\~ : gfqhpf (0 bytes)
C:\WINDOWS\~GLH0000.TMP : ahalwz (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : aodkme (197751 bytes)
C:\WINDOWS\~GLH0000.TMP : atqxux (0 bytes)
C:\WINDOWS\~GLH0000.TMP : beqnnw (0 bytes)
C:\WINDOWS\~GLH0000.TMP : bykipi (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : curisz (197756 bytes)
C:\WINDOWS\~GLH0000.TMP : dckzhm (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : diaqpy (11736 bytes)
C:\WINDOWS\~GLH0000.TMP : djsvwc (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : dsjwwd (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : eempei (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : eunlhk (7473 bytes)
C:\WINDOWS\~GLH0000.TMP : ewljwg (7473 bytes)
C:\WINDOWS\~GLH0000.TMP : ffzybn (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : gcobsh (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : gdytpv (197756 bytes)
C:\WINDOWS\~GLH0000.TMP : hetiu (0 bytes)
C:\WINDOWS\~GLH0000.TMP : hlsain (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : jtzdyo (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : jzvwsk (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : kiipcz (197751 bytes)
C:\WINDOWS\~GLH0000.TMP : kryrca (197756 bytes)
C:\WINDOWS\~GLH0000.TMP : mjxkjq (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : mtuffa (11736 bytes)
C:\WINDOWS\~GLH0000.TMP : mxtyjr (0 bytes)
C:\WINDOWS\~GLH0000.TMP : ojwvyx (197756 bytes)
C:\WINDOWS\~GLH0000.TMP : plivfd (197756 bytes)
C:\WINDOWS\~GLH0000.TMP : qgkqyi (197755 bytes)
C:\WINDOWS\~GLH0000.TMP : rilggq (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : rxrvng (7473 bytes)
C:\WINDOWS\~GLH0000.TMP : spwqgh (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : syrorc (0 bytes)
C:\WINDOWS\~GLH0000.TMP : szozlf (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : tfaspg (0 bytes)
C:\WINDOWS\~GLH0000.TMP : uvkvuj (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : wjdqeu (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : wjterb (7473 bytes)
C:\WINDOWS\~GLH0000.TMP : wkffnl (13581 bytes)
C:\WINDOWS\~GLH0000.TMP : xvgybm (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : xwdoyi (3567 bytes)
C:\WINDOWS\~GLH0000.TMP : ygjusp (0 bytes)
C:\WINDOWS\~GLH0000.TMP : ywgptw (11736 bytes)
C:\WINDOWS\~GLH0000.TMP : zeryjf (3567 bytes)




UNINSTALL

Ad-Aware SE Personal
Adobe Reader 6.0.1
AirNav Live Flight Tracker 6
Alarm Clock v1.0
AOL Uninstaller (Choose which Products to Remove)
AOPA's Real-Time Flight Planner 1.2.2
Araneae 5.0.0
ArcSoft VideoImpression 1.6FP
ATI Control Panel
ATI Display Driver
ATI DVD Decoder 2.1
ATI Multimedia Center 7.9.0.0
AVG Anti-Spyware 7.5
CH Control Manager
Cirrus SR20 V2 Six by GK
COMM1: Radio Simulator - VFR
Cypress USB Mass Storage Driver Installation
DFX for MUSICMATCH
DivX 5.0.2 Bundle
EA downloader
ExtractNow
EZ Macros
EZ Scheduler
FinePixViewer Ver.2.0
FSX Flight Weather Report
FUJIFILM USB Driver
GameSpy Arcade
GetPix (remove only)
Google Earth
GUIDE PLUS+™ for Windows® System - ATI
HijackThis 1.99.1
Hotfix for Windows XP (KB915865)
HP Photo Printing Software
hp psc 900 series
HydraVision
Intel® Extreme Graphics Driver
InterActual Player
Internet Explorer 7 Beta 2
Java 2 Runtime Environment, SE v1.4.2_03
LiveReg (Symantec Corporation)
LiveUpdate 2.6 (Symantec Corporation)
Logitech Gaming Software
Macromedia Extension Manager
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash MX
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia Shockwave Player
MapSource
MBSS Gravity Wells 2.1
Microsoft .NET Framework 1.1
Microsoft Flight Simulator 2004 A Century of Flight
Microsoft Halo
Microsoft Halo Trial
Microsoft Office 2000 Professional
Microsoft Text-to-Speech Engine 4.0 (English)
Microsoft User-Mode Driver Framework Feature Pack 1.0.0 (Pre-Release 5348)
Microsoft Visual C++ 2005 Redistributable
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
Mobile Media Maker (Motorola) DEMO 1.0
Mozilla Firefox (1.5.0.11)
MP3 Audio Converter
MPC Editor V3
MSN Messenger 7.0
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 Parser and SDK
MUSICMATCH® Jukebox
Napster
Napster Burn Engine
Napster Label Creator
Nero Suite
Norton WMI Update
Olympus Digital Wave Player
Pdf995
PdfEdit995
Pocket Tanks 1.00b
Power MP3 WMA Converter 1.15
QuickBooks Pro Edition 2004
QuickTime
RealPlayer
Reason
Rummi 6.0.29
SBC Self Support Tool
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
ShrinkTo5
SIA SmaartLive 5
Signature995
SONAR 3 Producer Edition
Spybot - Search & Destroy 1.4
Starry Night Backyard 3.1
StickyNote 9
SUPERAntiSpyware Free Edition
TextAloud
ToneDet Uninstall
Trend Micro PC-cillin Internet Security 2006
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
US-224
USB Storage Adapter FX (SM1)
Veneaviones Cessna Citation II
VersaCheck 2005 Platinum
VersaCheck Payroll
VideoLAN VLC media player 0.8.5
WebDrive
WIDCOMM Bluetooth Software
Winamp (remove only)
Windows Installer 3.1 (KB893803)
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinZip
WMA Encoder Decoder
Workspace Macro 4.5
Yahoo! extras
Yahoo! Internet Mail
Yahoo! Messenger

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:05:48 AM

Posted 01 May 2007 - 06:09 PM

Please run ADSSpy once again
Check: Full Scan (All NTFS drives)
Check: Ignore safe system info streams
Click: Scan the system for Alternate Data Streams
When the scan is done, right-click the list and choose: Select all
Then select: Remove selected

Note: The removal may take some time…

~~~~
Next, download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Reboot to Safe Mode :
-Restart your computer.
-When the machine first starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
Launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Please provide the AVG AS report in your reply.

Edited by Aaflac, 01 May 2007 - 06:09 PM.

Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users