Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Win 32/nuwar.n!sys ... Lots Of Vicious Pop-ups


  • This topic is locked This topic is locked
18 replies to this topic

#1 artworks1

artworks1

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 30 May 2007 - 08:59 PM

Alright, so I'm really not sure what I have on my computer. The virus I listed in the topic title is what the Windows IE said I had when I Reported the Bug. My computer got lots of pop-ups for WinAdware 2007 and Spydoctor ... continually telling me I had adware and spyware and needed to download these prgrams (which I didn't but they continually popped up trying to dwl anyways.) I did pretty much everything listed on this webpage: http://www.bleepingcomputer.com/forums/t/34773/preparation-guide-for-use-before-using-malware-removal-tools-and-requesting-help/. I didn't seem to have as much of a problem, my computer was much faster, but I still had ranndom pop-ups (not as frequent or as persistent). Then my grandfather checked out my computer, uninstalled some virus scans (McAfee and AVG) and the Lavasoft Adware program I had installed and installed Registry Fix. I know having too many things slows the computer down, but the problem then got bigger. Everything seemed to be fine last night, I was online checking my e-mail and chatting when all of a sudden Spybot went crazy and kept asking me to confirm a registry change (which I constantly denied), but things were being installed anyways ... about 10 - 15 icons appeared on my desktop (I know I should have written them down :/ )... a virus scanner ... titled BS short for B-something Sentry was one of them and it began running and telling me I had malicious spyware and adware that was stealing my information. Whatever it was had complete control of my computer so I just held the power button for 10secs, restarted the comp in safe mode, and ran spybot, (which is when I found out that the BS scanner was actually adware itself). It found 25 things but couldn't fix 5 of them (I ran it twice). Then today I ran Registry FIx in Safe mode as well. Things seem to be much better, but my computer is still kind of slow and I just got a pop-up for WinAdware2007. I'm just dreading another attack like I had last night, so here's my HijackIt Log and any help would be appreciated. Sorry if I gave too much or not enough information. Thank you!


Logfile of HijackThis v1.99.1
Scan saved at 9:38:01 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\perfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
c:\program files\aim6\anotify.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kcaymfdr.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash...h2.1.0.0.53.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135891594601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145571263129
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/ballistik...gwebinstall.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://philau-reg:8080/registration/CAT/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Performance Monitor Command Line Shell (Performance Monitor) - Unknown owner - C:\WINDOWS\perfmon.exe

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 31 May 2007 - 08:25 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum artworks1 :thumbsup:

My name is Richie and i'll be helping you to fix your problems.

Download LSPFix from:
http://www.bleepingcomputer.com/files/spyware/lspfix.zip
Once LSP-Fix is downloaded, extract it to your desktop.
Close all windows on your computer.
Launch/start lspfix.
Put a checkmark in the 'I know what I'm doing' checkbox.
Now move any instances of "winhealer.dll" into the remove box using the >> button.
Press the finish button.
Then reboot.

*****************************

Download SDFix.exe and save it to your desktop:
http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

* Double click on SDFix on your desktop,and install the fix to C:\

Please then reboot your computer into Safe Mode by doing the following:

* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, a menu with options should appear;
* Select the first option, to run Windows in Safe Mode, then press "Enter".
* Choose your usual account.

* In Safe Mode,go to and open the C:\SDFix folder,then double click on RunThis.bat to start the script.
* Type Y to begin the script.
* It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* Your system will take longer that normal to restart as the fixtool will be running and removing files.
* When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
* Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt into your next reply.

****************************

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Please post the contents of C:\vundofix.txt into your next reply.

Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

****************************

Please download Combofix and save to your desktop:
http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe
Note:
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.
Note:
Do not mouseclick combofix's window whilst it's running.
That may cause the program to freeze/hang.


****************************

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 artworks1

artworks1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 31 May 2007 - 10:15 PM

Thanks for your help so far. I'm having more problems already though. I booted up the computer to follow your instructions and I got this error ... dls0523.pmw.exe is not working properly. It asks if I want to send an error report. The first time I said no, the second and third times I said yes ... but all three times, the dreaded blue screen flashed and my computer restarted. After the third time I rebooted in safe mode, and began your instructions. I ran LSPFix fine (but in safe mode). However, SDFix.exe was not as successful. I installed in safe mode, and then ran it in safe mode. It says its supposed to take like 10 mins. However, I've been waiting for an hour and its not getting to the point where it asks me to reboot. It seems to have stopped like 50 mins ago. It has about 20 listings all saying "Unable to open the file "C:\WINDOWS\TEMP\MX_xxxx.TMP" The x's are numbers 117F through 119B. I don't know if I should just stop the program and move on to the next step, or let it go. The processor is still running, the computer is still blinking the green light as in its 'thinking.' I'm gonna go to bed, and hope it finishes for tomorrow. I will hopefully check on it before I leave for work (although I'm always rushed just to get out the door on time). I will update you from work as to whether it finished or just turned off or what. Thanks again.

#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 01 June 2007 - 03:13 AM

I don't know if I should just stop the program and move on to the next step

Forget SDFix for now,carry on with the rest of the instructions please.
Posted Image
Posted Image

#5 artworks1

artworks1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 01 June 2007 - 07:13 AM

Well, I let it go and when I woke up this morning it had completed. I rebooted it (to the login screen) and will finish your instructions and post the logs after work today. Thanks again!

#6 artworks1

artworks1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 01 June 2007 - 05:38 PM

OK, here we go ...

SDFix Report:


SDFix: Version 1.85

Run by Megan - Thu 05/31/2007 - 22:23:25.87

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
ICF

ImagePath:
C:\WINDOWS\system32\svchost.exe:exe.exe

ICF - Deleted



Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\VEXGA3~1.EXE - Deleted
C:\Documents and Settings\Megan\Local Settings\Temp\2.dllb - Deleted
C:\WINDOWS\Temp\win47E.tmp.exe - Deleted
C:\WINDOWS\Temp\win47E.tmp.exe - Deleted
C:\DOCUME~1\Megan\LOCALS~1\Temp\B5.tmp.exe - Deleted
C:\Documents and Settings\Megan\Application Data\Install.dat - Deleted
C:\DOCUME~1\Megan\LOCALS~1\Temp\temp_53029682.bat - Deleted
C:\WINDOWS\retadpu1000106.exe - Deleted
C:\WINDOWS\retadpu27.exe - Deleted
C:\WINDOWS\system32\~.exe - Deleted
C:\WINDOWS\system32\comdlg77.dll - Deleted
C:\WINDOWS\system32\dlh9jkd1q1.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q5.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q7.exe - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\kernels32.exe - Deleted
C:\WINDOWS\system32\qwertybot.exe - Deleted
C:\WINDOWS\system32\spoolsvv.exe - Deleted
C:\WINDOWS\system32\spoolsvv.sys - Deleted
C:\WINDOWS\system32\vexg6ame4.exe - Deleted
C:\WINDOWS\system32\vexga3me2.exe - Deleted
C:\WINDOWS\system32\vexga4me1.exe - Deleted
C:\WINDOWS\system32\vexga5me3.exe - Deleted
C:\WINDOWS\system32\vexga8me6.exe - Deleted
C:\WINDOWS\system32\windev-peers.ini - Deleted
C:\WINDOWS\tcb.pmw - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted
C:\WINDOWS\wr.txt - Deleted
C:\WINDOWS\xpupdate.exe - Deleted
C:\WINDOWS\Temp\mx_*.tmp - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted
C:\DOCUME~1\Megan\LOCALS~1\Temp\win*.tmp - Deleted


Folder C:\Program Files\Ipwindows - Removed

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
:exe.exe ADS Found!

svchost.exe: deleted 57856 bytes in 1 streams.

Checking for remaining Streams

C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------


Rootkit PE386 Found, Use a Rootkit scanner !

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\All Users\Documents\Settings\bot.dll
C:\WINDOWS\system32\awtro.dll
C:\WINDOWS\hugobqeA.exe
C:\WINDOWS\perfmon.exe
C:\Documents and Settings\All Users\DRM\Cache\Indiv02.tmp
C:\Program Files\InterActual\InterActual Player\iti10.tmp
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\d3f1cc34a2e17903494d8561b5dfd39f\BIT9.tmp
C:\WINDOWS\system32\ortwa.tmp
C:\WINDOWS\Temp\18467.tmp.LOG

Finished





VundoFix:


VundoFix V6.4.1

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 5:34:56 PM 6/1/2007

Listing files found while scanning....

C:\WINDOWS\system32\awtro.dll
C:\WINDOWS\system32\hggdcyv.dll
C:\WINDOWS\system32\kcaymfdr.dll
C:\WINDOWS\system32\mocvayyb.dll
C:\WINDOWS\system32\ortwa.bak1
C:\WINDOWS\system32\ortwa.bak2
C:\WINDOWS\system32\ortwa.ini
C:\WINDOWS\system32\ortwa.ini2
C:\WINDOWS\system32\ortwa.tmp
C:\WINDOWS\system32\rdfmyack.ini
C:\WINDOWS\system32\wuyhqjpp.dll
C:\WINDOWS\system32\yvadelyx.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awtro.dll
C:\WINDOWS\system32\awtro.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggdcyv.dll
C:\WINDOWS\system32\hggdcyv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kcaymfdr.dll
C:\WINDOWS\system32\kcaymfdr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mocvayyb.dll
C:\WINDOWS\system32\mocvayyb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ortwa.bak1
C:\WINDOWS\system32\ortwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ortwa.bak2
C:\WINDOWS\system32\ortwa.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ortwa.ini
C:\WINDOWS\system32\ortwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ortwa.ini2
C:\WINDOWS\system32\ortwa.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ortwa.tmp
C:\WINDOWS\system32\ortwa.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\rdfmyack.ini
C:\WINDOWS\system32\rdfmyack.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\wuyhqjpp.dll
C:\WINDOWS\system32\wuyhqjpp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yvadelyx.dll
C:\WINDOWS\system32\yvadelyx.dll Has been deleted!

Performing Repairs to the registry.
Done!





ComboFix:

"Megan" - 2007-06-01 18:01:24 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Megan\Desktop\"

ADS removed - system32: deleted 71608 bytes in 1 streams.

Unable to gain System Privileges

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\bfllxpmj.dll
C:\WINDOWS\system32\emtjlnhs.dll
C:\WINDOWS\system32\uqjfpocb.dll
C:\WINDOWS\system32\woqnljsg.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\vcrj.dll"
"C:\Documents and Settings\All Users.\documents\settings\desktop.ini"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\dinerdash2.exe"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\playfirstlogo.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\strings.xml"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\dirty_dishes.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\foodtray.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\heart1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\heart2.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\heart3.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\menu_down.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\menu_up.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\mop_prop.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\accessories\ticket.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\mainmenumusic.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a1.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a2.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a3.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\music\cafe\cafe_music_a4.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\baby_cry.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\chef_cook1.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\closing_time.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\customer_ditch.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_down.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\dialog_up.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\drink_table.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\expert.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_deliver.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\highchair_pickup.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\keystroke2.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\level_lose.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\level_win.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\menu_click.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\menu_rollover.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\mop_pickup.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\mop_spill.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_bring_check_1_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_deliver_food_1_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dish_dropoff_1_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_dropoff_drinks_1.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_food_ready_1_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_gain_heart_1.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_get_drinks_1_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_menu_down.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_party_arrive_1_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pencil_write_2.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_pickup_food_1_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\sfx_seat_people_snd.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\spill.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\table_drink.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\audio\sfx\tip_2.ogg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\flo_lose.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\flo_win.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\fullscreendialog.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\high_score_menu_bg.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\levelintro.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\levelover.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\longdialog.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\mainmenu_logo.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\popup.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\popup.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\textfield.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\backgrounds\upgrade_lines.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowdown_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowdown_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowdown_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowup_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowup_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\arrowup_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\checkbox_rotated_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\decor_highlight.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\decor_normal.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\decor_selected.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a2.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a3.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_2.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_large_3.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_2.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\dialog_button_a_small_3.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\left_arrow_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\left_arrow_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\left_arrow_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button1_mask.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\main_menu_button2_mask.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\map_button_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\map_button_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\map_button_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\right_arrow_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\right_arrow_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\right_arrow_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\upgrade_down.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\upgrade_over.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\upgrade_up.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\buttons\welcome_player.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\actionpoints.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\career.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\customer.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\endless.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\global.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\config\powerups.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cook\stove.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\arrow.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\click.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\click2.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\grab.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\cursor\open.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\anim.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\blue.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\blue_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\legs.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\red.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\dad_male\red_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\anim.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\blue.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\blue_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\legs.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\red.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\kid_male\red_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\anim.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\baby.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\blue.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_baby.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\blue_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\legs.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\red.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\red_baby.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\mom_female\red_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\anim.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\anim.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\blue.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\blue_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\legs.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\red.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\customers\young_female\red_legs.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\idle.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\idle.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\lower.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\lower.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\upper.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\flo\upper.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\fonts\mercurius.mvec"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\bench.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\bench.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\blue_highchairbaby.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\chair.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\chair.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dirt2top.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dirt4top.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dishcart.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\dishcart.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\green_highchairbaby.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchairbaby.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\highchair_prop_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\luxury_bench.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\mop_station_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\mop_station_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\mop_station_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\podium.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\podium_heart.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\podium_heart.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\purple_highchairbaby.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\radio.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\red_highchairbaby.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\spill.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\spill.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\stereo.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\ticketstation.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\ticketstation.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\furniture\yellow_highchairbaby.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\family.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_colormatch1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_colormatch2.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_noise.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help1_score.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_cleardishes.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_givecheck.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_pickupfood.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_servefood.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help2_takeorder.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\help\help_dividerline.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\hiscore\local-hs-bb.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\hiscore\p1icon.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_1.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_2.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_3.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_4.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_5.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\career_1_6.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_a.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_b.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\layouts\endless_1_1_c.bin"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\tableshadow.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\background.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrades.xml"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\blue.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\green.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\grey.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\chairs\red.pal"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\cup1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\food\food.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_0.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\frames\2_1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\furniture\drinkstation1_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\people\cook.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\props\cup_prop1.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\2top.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\tables\4top.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_0.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\restaurants\cafe\upgrade_icons\cafe_icon_2_1.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\careerupgrade.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\choosedifficulty.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\closeconfirm.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\entername.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\game.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\getmoregames.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\help1.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\help2.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\hiscore.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\hiscoreinfo.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\hiscoresubmit.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\levelintro.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\levelover.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\loading.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\mainloop.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\mainmenu.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\ok.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\pause.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\style.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\upgrade.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\upsell.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\scripts\yesno.lua"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\splash\aol_logo.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\splash\playfirst_logo.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\angersmoke.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\angersmoke.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\chairflags.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\chairflags.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\check.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\checkmark.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\closed.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\coinflip.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\coinflip.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\decor_lines.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\dollar.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\expert.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\foodpoof.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\foodpoof.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\heartgrow.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\heartgrow.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\jar.anm"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\jar.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\lives_icon.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\noisering.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tablenumber_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tablenumber_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\traynumber.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tutorialarrow.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\tutorialbox.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_base.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_hand.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_timer_off.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\ui_timer_on.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgradeanim.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\bubbles\request_bubble.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\bubbles\request_mop.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\bubbles\request_rejectmeal.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_d.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_e.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\notes\music_boost_f.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_bench_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_drink_station1_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_luxury_bench_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_oven_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_podium_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_powerbars_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_radio_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_stereo_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_a.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_b.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\ui\upgrades\icon_table_c.png"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd1.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd2.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd3.jpg"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53\assets\upsell\dd4.jpg"
"C:\DOCUME~1\Megan\Desktop\internet.lnk"
"C:\WINDOWS\uni_e6h.exe"
"C:\WINDOWS\system32\WinHealer.dll"
"C:\WINDOWS\system32\dnsersnd.dll"
"C:\WINDOWS\sammy3.exe"
"C:\WINDOWS\rau001978.exe"
"C:\WINDOWS\dls0523pmw.exe"
"C:\WINDOWS\Setup89.exe"
"C:\WINDOWS\uninst108.exe"
"C:\Temp\tn3"
"C:\WINDOWS\DOWNLO~1.\DinerDash2.1.0.0.53"
"C:\Documents and Settings\All Users.\documents\settings\bot.dll"
C:\Documents and Settings\All Users.\documents\settings


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DRIVER
-------\LEGACY_NET_AGENT
-------\LEGACY_PERFORMANCE_MONITOR
-------\Driver
-------\Net Agent
-------\Performance Monitor


((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 ))))))))))))))))))))))))))))))))))


2007-06-01 17:34 <DIR> d-------- C:\VundoFix Backups
2007-06-01 17:33 2,580 --a------ C:\WINDOWS\system32\dxfokbcr.exe
2007-06-01 17:30 131,124 --a------ C:\WINDOWS\system32\hnpbmoop.dll
2007-05-29 23:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-29 22:19 544,768 -r-hs---- C:\WINDOWS\perfmon.exe
2007-05-29 22:19 46,080 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\fkjwfeds.exe
2007-05-29 22:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-29 22:16 19,968 --a------ C:\WINDOWS\system32\winlbu32.dll
2007-05-29 22:16 14 --a------ C:\WINDOWS\bstdin.bin
2007-05-29 22:15 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-29 22:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-29 22:14 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-29 22:13 <DIR> d-------- C:\Program Files\Ofb11
2007-05-29 22:12 271,920 -r-hs---- C:\WINDOWS\hugobqeA.exe
2007-05-29 22:11 46,592 --a------ C:\WINDOWS\hugobqe.exe
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T5QaSQ
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T4
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T3
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\pog
2007-05-29 22:11 <DIR> d-------- C:\Temp\0b9
2007-05-29 22:11 <DIR> d-------- C:\Temp
2007-05-28 12:19 <DIR> d-------- C:\Program Files\RegistryFix
2007-05-23 20:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-23 19:11 <DIR> d-------- C:\DOCUME~1\Megan\APPLIC~1\Lavasoft
2007-05-23 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-22 19:04 <DIR> d--hs---- C:\WINDOWS\CSC
2007-05-18 21:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-18 19:07 <DIR> d-------- C:\quarantine


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-31 01:07:19 -------- d-----w C:\Program Files\Plaxo
2007-05-30 02:18:34 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-05-30 02:11:43 -------- d-----w C:\Program Files\Online Services
2007-05-29 11:38:50 -------- d-----w C:\Program Files\Google
2007-05-28 15:14:11 -------- d-----w C:\Program Files\Common Files\Network Associates
2007-05-28 15:14:10 -------- d-----w C:\Program Files\Network Associates
2007-05-18 22:46:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-21 02:29:36 -------- d-----w C:\Program Files\MSN Messenger
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2007-03-06 09:41:30 90,112 ----a-w C:\WINDOWS\KVTE66.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{72A671FB-1559-4721-A3DF-ACDC3C12CF35}=C:\WINDOWS\system32\awtro.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-05-28 13:41]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 02:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HostManager"="C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe" [2005-11-02 23:01]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-11-07 16:41]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-11-07 16:41]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 01:23]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2006-03-31 14:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-01 21:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-02-10 12:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\botreg]
C:\Documents and Settings\All Users\Documents\Settings\bot.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\windeh32]
windeh32.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-01 22:18:19 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-01 18:15:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


********************************************************************

Completion time: 2007-06-01 18:19:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-01 18:19

--- E O F ---





HiJackThis ... (I'm not sure if I renamed it correctly. In the HijackThis Folder, there was an icon named Hijack this, but it didn't say HijackThis.exe. But I changed it anyway.)

Logfile of HijackThis v1.99.1
Scan saved at 9:38:01 PM, on 5/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\perfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\MMDiag.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Plaxo\2.12.1.1\PlaxoHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\AIM6\aim6.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
c:\program files\aim6\anotify.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kcaymfdr.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\winhealer.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash...h2.1.0.0.53.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135891594601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145571263129
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/ballistik...gwebinstall.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://philau-reg:8080/registration/CAT/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\system32\svchost.exe:exe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: Performance Monitor Command Line Shell (Performance Monitor) - Unknown owner - C:\WINDOWS\perfmon.exe



Thanks ... the computer is going much faster, but I still get some error messages ... and Spybot Search and Destroy goes CRAZY asking to me approve/deny things (although I can't see the correct wording on the buttons) so I just hit the X and it says it denies but it keeps asking me. I've begun to assume it has something to do with all the stuff you have me running so I turn it off. Anyways, thanks again.

#7 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 June 2007 - 03:48 AM

Please make sure all hidden files are showing:
* Click 'Start'.
* Open 'My Computer'.
* Select the 'Tools' menu and click 'Folder Options'.
* Select the 'View' tab.
* Under the 'Hidden files and folders' heading select 'Show hidden files and folders'.
* Uncheck the 'Hide file extensions for known types' option.
* Uncheck the 'Hide protected operating system files (recommended)' option.
* Click Yes to confirm.
* Click OK.

Now go to:
C:\Program Files\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#8 artworks1

artworks1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2007 - 10:49 AM

Here you go ...


Logfile of HijackThis v1.99.1
Scan saved at 11:44:01 AM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72A671FB-1559-4721-A3DF-ACDC3C12CF35} - C:\WINDOWS\system32\awtro.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kcaymfdr.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash...h2.1.0.0.53.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135891594601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145571263129
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/ballistik...gwebinstall.cab
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://philau-reg:8080/registration/CAT/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: windeh32 - windeh32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

#9 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 June 2007 - 12:08 PM

Download/install AVG Anti-Spyware 7.5.

Please follow these instructions very carefully.

Launch/start up AVG Anti-Spyware.
On the main page click the 'Update' tab,and then 'Start Update'.
Note:
If you have any problems running the update process prior to running the scan,download/install the 'Full Database' from here:
http://download.ewido.net/avgas-signatures-full-current.exe

Once the updates have been installed,do the following:
Select the 'Scanner' icon at the top of the screen, then select the 'Settings' tab.
Once in the 'Settings' screen,under 'How to act?',then under 'Set default action for detected malware to:', click on 'Recommended actions',then click on 'Quarantine'.
Under 'Reports' select 'Automatically generate report after every scan' and unselect 'Only if threats were found'.
Exit AVG Anti-Spyware,don't run the scan just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following [If still present], by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:

O2 - BHO: (no name) - {72A671FB-1559-4721-A3DF-ACDC3C12CF35} - C:\WINDOWS\system32\awtro.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kcaymfdr.dll",realset
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} (CPlayFirstDinerDash2Control Object) - http://www.shockwave.com/content/dinerdash...h2.1.0.0.53.cab
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} (Sandlot Loader Control) - http://www.shockwave.com/content/ballistik...gwebinstall.cab
O20 - Winlogon Notify: botreg - C:\Documents and Settings\All Users\Documents\Settings\bot.dll (file missing)
O20 - Winlogon Notify: windeh32 - windeh32.dll (file missing)
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)


Still in Safe Mode launch AVG Anti-Spyware.
Click the 'Scanner' icon at the top.
To start the scan click on 'Complete System Scan'.
Please be patient,it takes a while for the scan to finish.

Once the scan is complete,do the following.
If AVG Anti-Spyware detected any infected objects:,click on 'Apply All Actions'.

Next click on 'Save Report'.
Copy and paste that report into your next reply.
The report can be found under the 'Reports' tab at the top.
Close AVG Anti-Spyware when you've done.
Reboot normally.

******************************

Download 'Blacklight Beta graphical user interface version' to your desktop:
https://europe.f-secure.com/blacklight/try.shtml
Accept the agreement,then download the program.
Click on Blacklight Beta on your desktop,accept that agreement,then hit Scan.
You'll see a list of all items found.
Don't choose rename yet!
I want to see the log first,legit items may be present.
There will be a log on your desktop with the name 'fsbl---log'
Post the contents of that log in your next reply.


Post the AVG Anti Spyware report, the Blacklight Beta log,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#10 artworks1

artworks1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2007 - 04:28 PM

AVG Anti Apyware Report:

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:42:46 PM 6/2/2007

+ Scan result:



C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163527.exe -> Adware.Bagon : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP816\A0161666.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0162515.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\WINDOWS\stub_track3.exe -> Adware.BookedSpace : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163512.exe -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163514.dll -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163515.dll -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163516.dll -> Adware.BraveSentry : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163505.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163522.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163523.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163524.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163525.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163526.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168941.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\AppID\{90A52F08-64AC-4DC6-9D7D-4516670275D3} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\CLSID\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TypeLib\{90A52F08-64AC-4DC6-9D7D-4516670275D3} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0162517.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168688.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\hggdcyv.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\WINDOWS\system32\T3\dlltk67.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\WinHealer.dll.vir -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/B5.tmp.exe -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/comdlg77.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/qwertybot.exe -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP827\A0164552.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0164607.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0165608.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0166606.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167613.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167619.exe -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168635.exe -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168636.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168642.exe -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168872.dll -> Backdoor.Agent.alp : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/retadpu1000106.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/retadpu27.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167610.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167611.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168644.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168645.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/~.exe -> Downloader.Agent.bnn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167612.exe -> Downloader.Agent.bnn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168657.exe -> Downloader.Agent.bnn : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexg6ame4.exe -> Downloader.Agent.bnr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167622.exe -> Downloader.Agent.bnr : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168649.exe -> Downloader.Agent.bnr : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexga5me3.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167624.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168652.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\WINDOWS\system32\T6\dlwr.exe -> Downloader.Agent.brf : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/dlh9jkd1q1.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexga8me6.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167614.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167625.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168637.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168653.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\dls0523pmw.exe.vir -> Downloader.Zlob.bqw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168876.exe -> Downloader.Zlob.bqw : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168946.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\WINDOWS\hugobqe.exe -> Dropper.Agent.mu : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168943.exe -> Hijacker.Agent.jp : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\catchme2007-06-01_181553.78.zip/lzx32.sys -> Hijacker.Costrat.aq : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168949.exe -> Hijacker.Delf.hj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168951.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\dnsersnd.dll.vir -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168873.dll -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168950.exe -> Hijacker.Small.cf : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/xpupdate.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167627.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168656.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168942.exe -> Not-A-Virus.Hoax.Win32.Renos.hn : Cleaned with backup (quarantined).
C:\WINDOWS\system32\rarf.dll -> Proxy.Agent.df : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/spoolsvv.sys -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0165610.sys -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0166608.sys -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167621.sys -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168647.sys -> Proxy.Agent.ji : Cleaned with backup (quarantined).
C:\WINDOWS\perfmon.exe -> Proxy.Agent.mn : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\Documents and Settings\All Users\Documents\Settings\bot.dll.vir -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/vexga4me1.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167623.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168651.exe -> Proxy.Xorpix.ar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163529.sys -> Rootkit.Agent.eq : Cleaned with backup (quarantined).
C:\Documents and Settings\Megan\Cookies\megan@adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@ads.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@stats.adbrite[2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@advertising[2].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@com[1].txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Keith\Cookies\keith@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
C:\Documents and Settings\Keith\Cookies\keith@data2.perf.overture[1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@revsci[1].txt -> TrackingCookie.Revsci : Cleaned.
C:\Documents and Settings\Megan\Cookies\megan@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Keith\Cookies\keith@m.webtrends[1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\QooBox\Quarantine\C\WINDOWS\sammy3.exe.vir -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168874.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\system32\T4\d5ll.exe -> Trojan.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168684.exe:exe.exe -> Trojan.Agent.alt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\winlbu32.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\Program Files\Online Services\lavuhazo.dll -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168953.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\WINDOWS\KVTE66.exe -> Trojan.BHO.ab : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\fkjwfeds.exe -> Trojan.Obfuscated.ev : Cleaned with backup (quarantined).
C:\Program Files\Ofb11\Ofb11.dll -> Trojan.OwlF.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163519.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163520.exe -> Trojan.Rond : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163521.dll -> Trojan.Rond : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/2.dllb -> Trojan.Tibs.ad : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/dlh9jkd1q7.exe -> Trojan.Tibs.ad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167616.exe -> Trojan.Tibs.ad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168639.exe -> Trojan.Tibs.ad : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP816\A0161663.sys -> Trojan.Tibs.w : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP815\A0161411.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP816\A0161664.exe -> Trojan.Tibs.y : Cleaned with backup (quarantined).
C:\WINDOWS\system32\T5QaSQ\T5QaSQ1083.exe -> Trojan.VB.nhr : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\Setup89.exe.vir -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\uninst108.exe.vir -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP826\A0163504.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168877.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168878.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\WINDOWS\win32074003-127378.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\uni_e6h.exe.vir -> Trojan.YourEnhancement : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168871.exe -> Trojan.YourEnhancement : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/dlh9jkd1q5.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167615.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168638.exe -> Worm.Nuwar : Cleaned with backup (quarantined).
C:\SDFix\backups\backups.zip/backups/kernels32.exe -> Worm.Zhelatin.ek : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP828\A0167618.exe -> Worm.Zhelatin.ek : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168641.exe -> Worm.Zhelatin.ek : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{2235C4F5-E952-4DFF-B6FD-39CE21E36395}\RP829\A0168954.exe -> Worm.Zhelatin.ek : Cleaned with backup (quarantined).


::Report end





Blacklight Beta log (The scan didn't find anything):


06/02/07 16:55:18 [Info]: BlackLight Engine 1.0.61 initialized
06/02/07 16:55:18 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/02/07 16:55:18 [Note]: 7019 4
06/02/07 16:55:18 [Note]: 7005 0
06/02/07 16:55:28 [Note]: 7006 0
06/02/07 16:55:28 [Note]: 7011 2020
06/02/07 16:55:28 [Note]: 7026 0
06/02/07 16:55:28 [Note]: 7026 0
06/02/07 16:55:33 [Note]: FSRAW library version 1.7.1021
06/02/07 17:17:52 [Note]: 7007 0




HiJackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 5:21:20 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {72A671FB-1559-4721-A3DF-ACDC3C12CF35} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kcaymfdr.dll",realset
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} -
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135891594601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145571263129
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} -
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://philau-reg:8080/registration/CAT/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: botreg - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: windeh32 - C:\WINDOWS\
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)




The computer seems sooo much better now. The only thing is that Spybot S&D continually asks me about registry changes. I have to keep hitting the red X because I can't read the words on the buttons. I eventually turn it off, cause its pain and I'm assuming what you have me doing is taking care of the problems. I tried to fina a way to turn off the setting that autmoatically has S&D come up on login. Am I just not being patient with it, what should I do? As far as the virus, and everything else, it seems to be gone! Thank you!

#11 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 02 June 2007 - 06:00 PM

First disable Windows Defender's real-time protection,as it may interfere.
* Open Microsoft Windows Defender. Click Start>All Programs>Windows Defender.
* Click on 'Tools'>'Options'.
* Under 'Real-time protection options', unselect the 'Turn on real-time protection' check box
* Click 'Save'.

************************

Please disable Spybot S&Dís protection,or it will interfere.
You can enable it after you're clean.
Open Spybot and click on 'Mode' and check 'Advanced Mode'.
Click on 'Tools' in bottom left hand corner.
Click on the 'System Startup' icon.
Uncheck 'Teatimer' box and/or uncheck 'Resident'.
Click the 'Allow Change' box.
Then, check next to the computer clock to see if the icon for Spybot is still there.
If it is, right click it and choose 'exit Spybot-S&D Resident'.
Reboot the computer.

************************

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
O2 - BHO: (no name) - {72A671FB-1559-4721-A3DF-ACDC3C12CF35} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [setup] rundll32.exe "C:\WINDOWS\system32\kcaymfdr.dll",realset
O16 - DPF: {639658F3-B141-4D6B-B936-226F75A5EAC3} -
O16 - DPF: {7D731A83-6C80-4EA4-9646-5E06A0513274} -
O20 - Winlogon Notify: botreg - C:\WINDOWS\
O20 - Winlogon Notify: windeh32 - C:\WINDOWS\
O21 - SSODL: DCOM Server 20509 - {2C1CD3D7-86AC-4068-93BC-A02304B20509} - (no file)

Exit Hijackthis.

************************

Run 'BitDefender Online Scanner' using Internet Explorer:
http://www.bitdefender.com/scan8/ie.html
Read the 'END USER SOFTWARE LICENSE AGREEMENT' then click 'I agree'.
You'll be prompted to install the activex control,please do so.
Once installed,disable your current antivirus program,then click the 'Click here to scan' button.
The virus signatures will then load.
Once loaded the scan will start.
The scan will take quite some time so please be patient.
Once the scan has finished select the 'Detected Problems' tab.
Click on 'Click here to export scan'.
Save the file as an HTML file to your desktop.
Then click on the saved file and allow it to open with your browser.
Go to 'Edit'/'Select All' then copy and paste that log into your next reply.
*Note*
Don't forget to re-enable your antivirus program.

Restart your pc.
Post the BitDefender Online Scanner log,and a new Hijackthis log into your next reply.
Let me know how your pc is running now please.

Posted Image
Posted Image

#12 artworks1

artworks1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 02 June 2007 - 11:53 PM

OK, I have fully run bitdefender twice. After it finishes scanning IE immediately comes up with an error report, so I'm unable to get rid of the infected problems. I attempted to run it a third time but it's getting late and I'm going to bed and I didn't want to leave the computer on all night with access to the internet. When I stopped the scan, again IE came up with an error report. When I report the error, it doesn't give me a specific virus, but says something about 'add-ons.'

Also, upon botting up and logging in I get "Error loading C:\WINDOWS\system32\kcaymfdr.dll. The specififed module could not be found." And whenever I shut down, I get a Task Manager message about McAfee Virus scan automatic update not working prpoperly, and I have to hit cancel (which won't shut down the computer) or End Now.

Here's the latest HTL:

Logfile of HijackThis v1.99.1
Scan saved at 12:41:48 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135891594601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145571263129
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://philau-reg:8080/registration/CAT/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)

#13 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 03 June 2007 - 03:45 AM

Run this online virus scan:Activescan using Internet Explorer.
Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes,click the See Report button, then Save Report, and save it to your desktop.

**********************

Double click on combofix.exe again and follow the prompts.
When it's finished it will produce a log.
Post the C:\ComboFix.txt into your next reply.

Also post the Activescan report and a new Hijackthis log into your next reply.
Posted Image
Posted Image

#14 artworks1

artworks1
  • Topic Starter

  • Members
  • 10 posts
  • OFFLINE
  •  
  • Local time:07:33 AM

Posted 03 June 2007 - 12:03 PM

Active Scan Report:


Incident Status Location

Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Keith\Cookies\keith@atwola[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Megan\Cookies\megan@atwola[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Megan\Desktop\ComboFix.exe[ComboFixT\nircmd.exe]
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Megan\Desktop\SDFix.exe[SDFix\apps\Process.exe]
Adware:Adware/DigInk Not disinfected C:\QooBox\Quarantine\C\WINDOWS\rau001978.exe.vir
Potentially unwanted tool:Application/Processor Not disinfected C:\SDFix\apps\Process.exe
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\WINDOWS\nircmd.exe


ComboFix Report:

"Megan" - 2007-06-03 12:39:56 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Megan\Desktop\"


((((((((((((((((((((((((((((((( Files Created from 2007-05-03 to 2007-06-03 ))))))))))))))))))))))))))))))))))


2007-06-03 11:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-06-03 11:06 <DIR> d-------- C:\WINDOWS\LastGood
2007-06-02 20:40 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-02 15:07 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-01 18:19 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 17:34 <DIR> d-------- C:\VundoFix Backups
2007-06-01 17:33 2,580 --a------ C:\WINDOWS\system32\dxfokbcr.exe
2007-06-01 17:30 131,124 --a------ C:\WINDOWS\system32\hnpbmoop.dll
2007-05-29 23:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-05-29 22:19 <DIR> d-a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-05-29 22:16 14 --a------ C:\WINDOWS\bstdin.bin
2007-05-29 22:15 <DIR> d-------- C:\Program Files\myCleanerPC
2007-05-29 22:15 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-05-29 22:14 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-05-29 22:13 <DIR> d-------- C:\Program Files\Ofb11
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T6
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T5QaSQ
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T4
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\T3
2007-05-29 22:11 <DIR> d-------- C:\WINDOWS\system32\pog
2007-05-29 22:11 <DIR> d-------- C:\Temp\0b9
2007-05-29 22:11 <DIR> d-------- C:\Temp
2007-05-28 12:19 <DIR> d-------- C:\Program Files\RegistryFix
2007-05-23 20:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-23 19:11 <DIR> d-------- C:\DOCUME~1\Megan\APPLIC~1\Lavasoft
2007-05-23 19:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-05-22 19:04 <DIR> d--hs---- C:\WINDOWS\CSC
2007-05-18 21:39 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2007-05-18 19:07 <DIR> d-------- C:\quarantine


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 16:00:33 -------- d-----w C:\Program Files\Windows Defender
2007-06-03 16:00:15 -------- d-----w C:\Program Files\QuickTime
2007-06-03 15:58:35 -------- d-----w C:\Program Files\MSN Messenger
2007-06-03 15:51:17 -------- d-----w C:\Program Files\Google
2007-06-03 15:48:40 -------- d-----w C:\Program Files\Common Files\Autodesk Shared
2007-06-03 15:47:01 -------- d-----w C:\Program Files\Bonjour
2007-05-31 01:07:19 -------- d-----w C:\Program Files\Plaxo
2007-05-30 02:18:34 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-05-30 02:11:43 -------- d-----w C:\Program Files\Online Services
2007-05-28 15:14:11 -------- d-----w C:\Program Files\Common Files\Network Associates
2007-05-28 15:14:10 -------- d-----w C:\Program Files\Network Associates
2007-05-18 22:46:19 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-05-28 13:41]
{AE7CD045-E861-484f-8273-0445EE161910}=C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll [2004-12-14 02:13]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PCTVOICE"="pctspk.exe" [2003-02-24 16:35 C:\WINDOWS\system32\pctspk.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"HostManager"="C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe" [2005-11-02 23:01]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-11-07 16:41]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2006-11-07 16:41]
"Share-to-Web Namespace Daemon"="C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe" [2002-04-17 11:42]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe" [2002-10-07 01:23]
"McAfeeUpdaterUI"="C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" [2006-03-31 14:24]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-01-01 21:42]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [2005-04-04 18:58]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [2004-12-14 02:12]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-05-28 13:42]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-06-03 15:02:57 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 12:43:06
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0


********************************************************************

Completion time: 2007-06-03 12:44:33
C:\ComboFix-quarantined-files.txt ... 2007-06-03 12:44
C:\ComboFix2.txt ... 2007-06-01 18:19

--- E O F ---



HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 12:56:19 PM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\data\database\bin\mysqld-nt.exe
C:\WINDOWS\system32\pctspk.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnf.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\abc.bat

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Adobe Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [PCTVOICE] pctspk.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1135922094\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnotes.com/download/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/...lscbase8300.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1135891594601
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1145571263129
O16 - DPF: {8A94C905-FF9D-43B6-8708-F0F22D22B1CB} (Wwlaunch Control) - http://www.worldwinner.com/games/shared/wwlaunch.cab
O16 - DPF: {94299420-321F-4FF9-A247-62A23EBB640B} (WordMojo Control) - http://www.worldwinner.com/games/v45/wordmojo/wordmojo.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A52FBD2B-7AB3-4F6B-90E3-91C772C5D00F} (WoF Control) - http://www.worldwinner.com/games/v46/wof/wof.cab
O16 - DPF: {A8683C98-5341-421B-B23C-8514C05354F1} (FujifilmUploader Class) - http://www.samsphotoclub.com/upload/FujifilmUploadClient.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius.com/download/software/...tiveXPlugin.cab
O16 - DPF: {AC2881FD-5760-46DB-83AE-20A5C6432A7E} (SwapIt Control) - http://www.worldwinner.com/games/v64/swapit/swapit.cab
O16 - DPF: {B06CE1BC-5D9D-4676-BD28-1752DBF394E0} (Hangman Control) - http://www.worldwinner.com/games/v40/hangman/hangman.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} - http://download.mcafee.com/molbin/shared/m...,26/mcgdmgr.cab
O16 - DPF: {C190FF32-96D0-445F-9F60-5CF288FD3D0F} (ActiveFormX Control) - http://philau-reg:8080/registration/CAT/CNICAT.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shock...ash/swflash.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://games.pogo.com/online2/pogo/zuma/popcaploader_v5.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Unknown owner - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe" -win32service (file missing)
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client Security Agent (BNPagent) - Bradford Networks - C:\Program Files\Bradford Networks\Client Security Agent\bnpagent.exe
O23 - Service: Bonjour Service - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)



Btw, the Windows Security Center keeps telling me it did not find antivirus software on my computer. However, I have AVG. I did have McAfee but I'm not sure what's wrong with it.

#15 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:33 PM

Posted 03 June 2007 - 01:46 PM

Download Avenger from the link below:
http://swandog46.geekstogo.com/avenger.zip
Unzip/extract it to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens,copy and paste ALL the following bold blue text in the Quote box below:

Files to delete:
C:\WINDOWS\system32\dxfokbcr.exe
C:\WINDOWS\system32\hnpbmoop.dll

Folders to delete:
C:\Program Files\Ofb11
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T5QaSQ
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T3
C:\Temp\0b9

Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Post the Avenger output.txt, which you can find at C:\Avenger\.txt into your next reply.

Btw, the Windows Security Center keeps telling me it did not find antivirus software on my computer.
However, I have AVG.
I did have McAfee but I'm not sure what's wrong with it.

You have AVG Anti-Spyware installed and thats not virus protection,that helps prevent spyware infections which is two completely different things.
Download\install one of the following freeware antivirus options from the choice below.
Once installed update its definitions and then run a full system virus scan.

AVG7 Free Edition Antivirus:
http://free.grisoft.com/softw/70free/setup...ree_446a965.exe

Avast! 4 Home Edition:
http://files.avast.com/iavs4pro/setupeng.exe

Avira AntiVir Personal Edition Classic
http://www.free-av.com/

Post a new Hijackthis log into your next reply.
Let me know how your pc is running now.

Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users