To reply on Icrontic, register now.

It only takes 30 seconds.

Have an account? Sign in for less ads.

Forgot?

To reopen your thread, send a Private Message (PM) to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own thread instead.

 
Reply to Discussion Options
dippydog
Icrontic Convert
dippydog
11 Posts
29 Jun 2009, 7:20pm

Having problem with spy.Ursnif.A inside termsrv.dll and Winlogon.exe

Hi.

I'm having the same problem a lot of other users seem to be having with the spy.ursnif.a virus on the winlogon.exe and termsrv.dll files, and hope you guys can help me get rid of it.

I have Eset Security Suite/NOD32, Malwarebytes, and Spybot all on my PC (Windows XP) and all can see the virus (ESET keeps popping up whenever I try to run anything) but none can fix it.

Any help would be greatly appreciated. Looks like I need to get ComboFix but I'll wait to hear from you.

Thanks in advance.

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:33 PM, on 6/29/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\web\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\ESET\ESET Smart Security\ekrn.exe
E:\web\xampp\FileZillaFTP\FileZillaServer.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
f:\Malware\Malware\mbamservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\web\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\WINDOWS\system32\hphmon03.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
F:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\WDBtnMgr.exe
F:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
F:\Malware\Malware\mbamgui.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\WinZip9\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\MagicDisc\MagicDisc.exe
E:\web\xampp\apache\bin\apache.exe
C:\WINDOWS\system32\HPHipm09.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe
C:\Program Files\Internet Explorer\iexplore.exe
f:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\ERIC\Application Data\Mozilla\Profiles\default\jcva244g.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ERIC\Application Data\Mozilla\Profiles\default\jcva244g.slt\prefs.js)
O1 - Hosts file is located at: C:\WINDOWS\System32\drivers\etc\hosts
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [bgmwyc] c:\windows\system32\bgmwyc.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [CSV10P70] C:\Program Files\CSBB\CSv10P070.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [Cleanup] C:\DOCUME~1\Eric\LOCALS~1\Temp\20061223175025_mcappins.exe /v=3 /cleanup
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [NoteBurner] C:\Program Files\NoteBurner\VTBurnerGUI.exe /silence
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "F:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] f:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] f:\Malware\Malware\mbamgui.exe /starttray
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: WD Anywhere Backup Launcher.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: WD Anywhere Backup Launcher.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WD Anywhere Backup Launcher.lnk = ?
O4 - Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip9\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/game.../y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct2_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://remote.halw.com/vdesk/termin...ion=2004,6,3,1
O16 - DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} (3DVista Viewer Control) - http://www.3dvista.com/downloads/viewer3dv.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vpn.halw.com/vdesk/terminal/...2008,0717,1611
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.halw.com/vdesk/terminal/...2008,0717,1602
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166914758078
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://remote.halw.com/vdesk/termin...ion=5,2,3790,0
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://playgames.comcast.net/online2...esLauncher.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/i...ncherSetup.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://remote.halw.com/vdesk/terminal/urxshost.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshe...onGameHost.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.halw.com/vdesk/terminal/...2008,0717,1606
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} (URVNCX Class) - https://remote.halw.com/vdesk/termin...5400,0,50202,1
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - E:\web\xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - F:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - F:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - E:\web\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - f:\Malware\Malware\mbamservice.exe
O23 - Service: mysql (MySQL) - Unknown owner - E:\web\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - E:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
--
End of file - 17601 bytes
dippydog edited : 30 Jun 2009 at 4:44am . Reason: Adding Hijack Log
chiaz
Spyware Mod
chiaz
1,218 Posts
30 Jun 2009, 9:36am
Hello.

You're right, let's have you download ComboFix.exe. Please visit this webpage for downloading and instructions for running the tool:

Go here ======> A guide and tutorial on using ComboFix <====== Go here

Please ensure you read this guide carefully and install the Recovery Console first.This applies to XP Pro and XP Home users only.If you have SP3 installed you will need to use the download meant for SP2.

The Windows Recovery Console will allow you to boot up into a special recovery (repair) mode. This allows us to more easily help you should your computer have a problem after an attempted removal of malware. It is a simple procedure that will only take a few moments of your time.

Once installed, you should get a prompt that says:

The Recovery Console was successfully installed.

Please continue as follows:

(1) Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
(2) Click Yes to allow ComboFix to continue scanning for malware.

When the tool is finished, it will produce a report for you.


Please include the C:\ComboFix.txt as well as a new HijackThis log for further review, so that we may continue cleansing the system.


Caution: Never run and remove files with Combofix unless supervised by a qualified security analyst who is experienced in the use of Combofix. Misuse can cause serious computer problems.
dippydog
Icrontic Convert
dippydog
11 Posts
30 Jun 2009, 4:31pm
Here's the ComboFix log: (HijackThis follows combofix.)

One thing: When ComboFix was running and going through the Completed Stage_XX, the computer restarted. I wasn't really paying attention, so I don't know if it had gotten through all the stages or not - I just heard it restart. After it restarted, I logged in, and then ComboFix opened with the message about preparing the log file. ESET and Malwarebytes were re-enabled after the restart so I disabled them again while ComboFix was preparing the log file. ComboFix finished, and it looks like it fixed the winlogon.exe file. Does that take care of termsrv.dll too?

I guess the thing that concerns me is that the instructions don't say anything about the computer restarting.

Anyway, here are the logs.

ComboFix 09-06-29.04 - Eric 06/30/2009 7:01.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.993 [GMT -7:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Eric\Application Data\Google\T-Scan
c:\documents and settings\Eric\Application Data\Google\T-Scan\n.gif
c:\documents and settings\Eric\Application Data\Google\T-Scan\t.gif
c:\documents and settings\Eric\Application Data\Google\T-Scan\y.gif
c:\documents and settings\Eric\Local Settings\Temporary Internet Files\temp.cab
c:\windows\Readme.txt
c:\windows\system32\mlfcache.dat
c:\windows\system32\Plugins
c:\windows\system32\Plugins\NPLeechGet.dll
c:\windows\system32\TDSSbubx.dat
c:\windows\system32\TDSSierd.dat
c:\windows\system32\TDSSnrsr.dat
c:\windows\system32\TDSSosvd.dat
c:\windows\system32\TDSSrhym.dat
c:\windows\system32\TDSSvvbj.dat
Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe
.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-30 )))))))))))))))))))))))))))))))
.
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\program files\iTunes
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 05:13 . 2009-06-05 18:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-14 05:09 . 2009-06-14 05:09 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 13:36 . 2009-06-10 13:36 -------- d-----w- c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 02:39 . 2005-03-29 04:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-18 08:00 . 2008-12-04 08:00 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2008-11-29 21:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-11-29 21:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 18:42 . 2007-12-25 17:28 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:44 . 2005-03-28 03:19 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2005-03-28 03:19 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2005-03-28 03:05 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-23 05:30 . 2009-04-23 05:30 34062 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-17 13:03 . 2008-02-04 03:48 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-17 09:58 . 2005-03-28 04:19 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-03-28 03:19 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-08-09 16:42 . 2007-02-06 03:31 3198976 ----a-w- c:\program files\ViewSonicregistration.exe
2003-08-27 21:19 . 2004-05-26 03:21 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2008-12-20 05:22 . 2004-11-19 23:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 05:22 . 2004-11-19 23:25 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-07-16 12:41 . 2004-11-19 23:26 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-12-20 05:22 . 2004-11-19 23:25 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 05:22 . 2006-12-25 02:17 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 05:22 . 2006-12-25 02:17 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2002-08-29 19:00 . 2002-08-29 19:00 94784 --sh--w- c:\windows\twain.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-10 28672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-10 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-23 311296]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"egui"="f:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="f:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Malwarebytes' Anti-Malware"="f:\malware\Malware\mbamgui.exe" [2009-06-17 414992]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-12-02 364544]
c:\documents and settings\Eric\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-9-25 299008]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-8 98304]
WD Anywhere Backup Launcher.lnk - c:\documents and settings\Eric\Application Data\Microsoft\Installer\{B9A81070-616D-4E93-BE02-CEE651343204}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-12-2 17542]
MagicDisc.lnk - f:\program files\MagicDisc\MagicDisc.exe [2008-12-11 575488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Dataviz Messenger.lnk - c:\windows\DvzCommon\DvzMsgr.exe [2003-7-1 24576]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2006-7-27 41042]
WinZip Quick Pick.lnk - c:\program files\WinZip9\WZQKPICK.EXE [2006-10-10 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\M:\0autocheck autochk *
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"e:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"f:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/27/2004 4:18 PM 97920]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [3/9/2008 6:29 PM 8576]
R2 afpa;afpa;c:\windows\system32\drivers\afpa.sys [5/10/2003 12:12 AM 106224]
R2 ekrn;Eset Service;f:\program files\ESET\ESET Smart Security\ekrn.exe [8/18/2008 1:25 PM 468224]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MBAMService;MBAMService;f:\malware\Malware\mbamservice.exe [11/29/2008 2:59 PM 195856]
R3 Dot4Usb HPH09ot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/23/2001 3:24 AM 18864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/29/2008 2:59 PM 19096]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [11/3/2003 6:43 PM 28304]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\System32\drivers\ASUSHWIO.sys --> c:\windows\System32\drivers\ASUSHWIO.sys [?]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [8/23/2004 8:26 PM 10768]
S3 SBRE;SBRE;\??\c:\windows\system32\drivers\SBREdrv.sys --> c:\windows\system32\drivers\SBREdrv.sys [?]
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-06-26 c:\windows\Tasks\Malwarebytes' Scheduled Update for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-06-26 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-06-30 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
- - - - ORPHANS REMOVED - - - -
HKLM-Run-bgmwyc - c:\windows\system32\bgmwyc.exe
HKLM-Run-CSV10P70 - c:\program files\CSBB\CSv10P070.exe
HKLM-Run-NoteBurner - c:\program files\NoteBurner\VTBurnerGUI.exe
HKLM-Run-NWEReboot - (no file)
Notify-WgaLogon - (no file)

.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?sourceid=navclient&ie=UTF-8&hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} - hxxp://www.3dvista.com/downloads/viewer3dv.cab
DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - hxxp://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - hxxps://remote.halw.com/vdesk/terminal/urvncx.cab#version=5400,0,50202,1
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-30 07:08
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="e:\web\xampp\mysql\bin\mysqld-nt --defaults-file=e:\web\xampp\mysql\bin\my.cnf mysql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1224)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(3524)
c:\progra~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
c:\windows\System32\shdoclc.dll
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
e:\web\xampp\apache\bin\apache.exe
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
e:\web\xampp\FileZillaFTP\FileZillaServer.exe
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
e:\web\xampp\mysql\bin\mysqld-nt.exe
e:\web\xampp\apache\bin\apache.exe
c:\program files\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
c:\program files\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATE~1.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
c:\program files\Java\jre1.5.0_12\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-06-30 7:13 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-30 14:13
Pre-Run: 2,086,240,256 bytes free
Post-Run: 3,033,432,064 bytes free
WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /fastdetect /NoExecute=OptIn
240 --- E O F --- 2009-06-10 10:08


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:28:39 AM, on 6/30/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
E:\web\xampp\apache\bin\apache.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
F:\Program Files\ESET\ESET Smart Security\ekrn.exe
E:\web\xampp\FileZillaFTP\FileZillaServer.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
f:\Malware\Malware\mbamservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
E:\web\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
E:\web\xampp\apache\bin\apache.exe
C:\Program Files\ASUS\Probe\AsusProb.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\WINDOWS\SM1BG.EXE
C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe
C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe
E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\PROGRA~1\HEWLET~1\PHOTOS~1\HPSHAR~1\hpgs2wnf.exe
F:\Program Files\ESET\ESET Smart Security\egui.exe
C:\WINDOWS\system32\WDBtnMgr.exe
F:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\iTunes\iTunesHelper.exe
F:\Malware\Malware\mbamgui.exe
C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\DvzCommon\DvzMsgr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\WinZip9\WZQKPICK.EXE
C:\Program Files\Palm\HOTSYNC.EXE
F:\Program Files\MagicDisc\MagicDisc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WD\WD Anywhere Backup\MemeoBackup.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Java\jre1.5.0_12\bin\jucheck.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\defrag.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\Office10\OUTLOOK.EXE
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
F:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;*.local
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.google.com/"); (C:\Documents and Settings\ERIC\Application Data\Mozilla\Profiles\default\jcva244g.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src"); (C:\Documents and Settings\ERIC\Application Data\Mozilla\Profiles\default\jcva244g.slt\prefs.js)
O2 - BHO: SnagIt Toolbar Loader - {00C6482D-C502-44C8-8409-FCE54AD9C208} - C:\Program Files\TechSmith\SnagIt 9\SnagItBHO.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.1.1309.3572\swg.dll
O2 - BHO: Google Dictionary Compression sdch - {C84D72FE-E17D-4195-BB24-76C02E2E7C4E} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 9\SnagItIEAddin.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Google Toolbar - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar.dll
O4 - HKLM\..\Run: [ASUS Probe] C:\Program Files\ASUS\Probe\AsusProb.exe
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [SM1BG] C:\WINDOWS\SM1BG.EXE
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [CXMon] "C:\Program Files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_12\bin\jusched.exe"
O4 - HKLM\..\Run: [HPHmon03] C:\WINDOWS\system32\hphmon03.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [CanonMyPrinter] C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "E:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [egui] "F:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [WD Button Manager] WDBtnMgr.exe
O4 - HKLM\..\Run: [PWRISOVM.EXE] f:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware] f:\Malware\Malware\mbamgui.exe /starttray
O4 - HKLM\..\Run: [CreateCD50] C:\PROGRA~1\COMMON~1\ADAPTE~1\CreateCD\CREATE~1.EXE -r
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - S-1-5-18 Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'SYSTEM')
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'SYSTEM')
O4 - S-1-5-18 Startup: WD Anywhere Backup Launcher.lnk = ? (User 'SYSTEM')
O4 - S-1-5-18 Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE (User 'Default user')
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User 'Default user')
O4 - .DEFAULT Startup: WD Anywhere Backup Launcher.lnk = ? (User 'Default user')
O4 - .DEFAULT Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe (User 'Default user')
O4 - Startup: HotSync Manager.lnk = C:\Program Files\Palm\HOTSYNC.EXE
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: WD Anywhere Backup Launcher.lnk = ?
O4 - Startup: MagicDisc.lnk = F:\Program Files\MagicDisc\MagicDisc.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Dataviz Messenger.lnk = C:\WINDOWS\DvzCommon\DvzMsgr.exe
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip9\WZQKPICK.EXE
O8 - Extra context menu item: Append to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_12\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/game.../y/t21t0_x.cab
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct2_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://yog55.games.scd.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/game...s/y/potc_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: Yahoo! Towers 2.0 - http://download.games.yahoo.com/game...s/y/ywt0_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://www.comcastsupport.com/sdccom...ad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2BCDB465-81F9-41CB-832C-8037A4064446} (F5 Networks VPN Manager) - https://remote.halw.com/vdesk/termin...ion=2004,6,3,1
O16 - DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} (3DVista Viewer Control) - http://www.3dvista.com/downloads/viewer3dv.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/...eInstaller.exe
O16 - DPF: {45B69029-F3AB-4204-92DE-D5140C3E8E74} (F5 Networks Auto Update) - https://vpn.halw.com/vdesk/terminal/...2008,0717,1611
O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} (InstallShield Setup Player 2K2) - http://www.napster.com/client/setup.exe
O16 - DPF: {6A060448-60F9-11D5-A6CD-0002B31F7455} (ExentInf Class) - http://us.games2.yimg.com/download.g...tl_0_0_0_1.ocx
O16 - DPF: {6C275925-A1ED-4DD2-9CEE-9823F5FDAA10} (F5 Networks SSLTunnel) - https://vpn.halw.com/vdesk/terminal/...2008,0717,1602
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1166914758078
O16 - DPF: {7584c670-2274-4efb-b00b-d6aaba6d3850} (Microsoft RDP Client Control (redist)) - https://remote.halw.com/vdesk/termin...ion=5,2,3790,0
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {7CCAD6DD-DD0B-440B-91FF-7670F5AADC21} (SpinTop Games Launcher) - http://playgames.comcast.net/online2...esLauncher.cab
O16 - DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} (WildTangent Active Launcher) - http://install.wildtangent.com/cda/i...ncherSetup.cab
O16 - DPF: {CC85ACDF-B277-486F-8C70-2C9B2ED2A4E7} (F5 Networks SuperHost Class) - https://remote.halw.com/vdesk/terminal/urxshost.cab
O16 - DPF: {CE74A05D-ED12-473A-97F8-85FB0E2F479F} (dlControl.UserControl1) - http://www.livemetallica.com/nugster/dlControl.CAB
O16 - DPF: {D0C0F75C-683A-4390-A791-1ACFD5599AB8} (Oberon Flash Game Host) - http://playgames.comcast.net/Gameshe...onGameHost.cab
O16 - DPF: {E0FF21FA-B857-45C5-8621-F120A0C17FF2} (F5 Networks Host Control) - https://vpn.halw.com/vdesk/terminal/...2008,0717,1606
O16 - DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} (URVNCX Class) - https://remote.halw.com/vdesk/termin...5400,0,50202,1
O18 - Filter: x-sdch - {B1759355-3EEC-4C1E-B0F1-B719FE26E377} - C:\Program Files\Google\Google Toolbar\Component\fastsearch_A8904FB862BD9564.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Apache Software Foundation - E:\web\xampp\apache\bin\apache.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - F:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - F:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - FileZilla Project - E:\web\xampp\FileZillaFTP\FileZillaServer.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Intuit Update Service (IntuitUpdateService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MBAMService - Malwarebytes Corporation - f:\Malware\Malware\mbamservice.exe
O23 - Service: mysql (MySQL) - Unknown owner - E:\web\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NBService - Nero AG - E:\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Pml Driver - HP - C:\WINDOWS\system32\HPHipm09.exe
--
End of file - 17552 bytes
chiaz
Spyware Mod
chiaz
1,218 Posts
1 Jul 2009, 1:57am
Hello,

Have you installed CounterSpy on this PC before?

Are you still receiving any warnings from your security programs about the ursnif.a infection?
dippydog
Icrontic Convert
dippydog
11 Posts
1 Jul 2009, 5:40am
CounterSpy doesn't sound familiar, but I've had the PC for almost 5 years. I guess it's possible, but I don't think I installed it.

ESET doesn't give the popup about winlogon.exe everytime I open a new app anymore, but I did a scan with ESET on the c:\windows\system32 directory, and it says termsrv.dll is still infected.

Any way to fix that and any reg keys that might be messed up?
chiaz
Spyware Mod
chiaz
1,218 Posts
1 Jul 2009, 10:26am
Please copy this page to *Notepad* and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It's IMPORTANT to carry out the instructions in the sequence listed below.
1. Close any open browsers.
2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:
Driver::
SBRE
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished, it shall produce a log for you at C:\ComboFix.txt

Please copy and paste the ComboFix.txt in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer*
dippydog
Icrontic Convert
dippydog
11 Posts
1 Jul 2009, 4:05pm
Log file is below.

After I drug the CFScript.txt file onto ComboFix.exe and it started doing it's thing, I got a message saying there's a newer version and asking if I want to upgrade. I let it upgrade. Hope that's OK.

Also, this time I watched the entire "completing_stageXX" and it got through stage 50, then said it was going to reboot the machine, which it did, so I assume that's normal.

After the machine reboot and ComboFix was preparing the log file, ESET (which became enabled after the machine reboot) popped up with the message about termsrv.dll being infected. I guess ComboFix was trying to use that library?

Anyway, here's the log:

ComboFix 09-06-30.03 - Eric 07/01/2009 7:43.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.983 [GMT -7:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_SBRE
-------\Service_SBRE

((((((((((((((((((((((((( Files Created from 2009-06-01 to 2009-07-01 )))))))))))))))))))))))))))))))
.
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\program files\iTunes
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 05:13 . 2009-06-05 18:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-14 05:09 . 2009-06-14 05:09 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 13:36 . 2009-06-10 13:36 -------- d-----w- c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 02:39 . 2005-03-29 04:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-18 08:00 . 2008-12-04 08:00 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2008-11-29 21:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-11-29 21:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 18:42 . 2007-12-25 17:28 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:44 . 2005-03-28 03:19 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2005-03-28 03:19 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2005-03-28 03:05 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-23 05:30 . 2009-04-23 05:30 34062 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-17 13:03 . 2008-02-04 03:48 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-17 09:58 . 2005-03-28 04:19 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-03-28 03:19 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-08-09 16:42 . 2007-02-06 03:31 3198976 ----a-w- c:\program files\ViewSonicregistration.exe
2003-08-27 21:19 . 2004-05-26 03:21 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2008-12-20 05:22 . 2004-11-19 23:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 05:22 . 2004-11-19 23:25 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-07-16 12:41 . 2004-11-19 23:26 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-12-20 05:22 . 2004-11-19 23:25 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 05:22 . 2006-12-25 02:17 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 05:22 . 2006-12-25 02:17 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2002-08-29 19:00 . 2002-08-29 19:00 94784 --sh--w- c:\windows\twain.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-10 28672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-10 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-23 311296]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"egui"="f:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="f:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Malwarebytes' Anti-Malware"="f:\malware\Malware\mbamgui.exe" [2009-06-17 414992]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-12-02 364544]
c:\documents and settings\Eric\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-9-25 299008]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-8 98304]
WD Anywhere Backup Launcher.lnk - c:\documents and settings\Eric\Application Data\Microsoft\Installer\{B9A81070-616D-4E93-BE02-CEE651343204}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-12-2 17542]
MagicDisc.lnk - f:\program files\MagicDisc\MagicDisc.exe [2008-12-11 575488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Dataviz Messenger.lnk - c:\windows\DvzCommon\DvzMsgr.exe [2003-7-1 24576]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2006-7-27 41042]
WinZip Quick Pick.lnk - c:\program files\WinZip9\WZQKPICK.EXE [2006-10-10 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\M:\0autocheck autochk *
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"e:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"f:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/27/2004 4:18 PM 97920]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [3/9/2008 6:29 PM 8576]
R2 afpa;afpa;c:\windows\system32\drivers\afpa.sys [5/10/2003 12:12 AM 106224]
R2 ekrn;Eset Service;f:\program files\ESET\ESET Smart Security\ekrn.exe [8/18/2008 1:25 PM 468224]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MBAMService;MBAMService;f:\malware\Malware\mbamservice.exe [11/29/2008 2:59 PM 195856]
R3 Dot4Usb HPH09ot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/23/2001 3:24 AM 18864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/29/2008 2:59 PM 19096]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [11/3/2003 6:43 PM 28304]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\System32\drivers\ASUSHWIO.sys --> c:\windows\System32\drivers\ASUSHWIO.sys [?]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [8/23/2004 8:26 PM 10768]
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-07-01 c:\windows\Tasks\Malwarebytes' Scheduled Update for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-07-01 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-07-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?sourceid=navclient&ie=UTF-8&hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} - hxxp://www.3dvista.com/downloads/viewer3dv.cab
DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - hxxp://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - hxxps://remote.halw.com/vdesk/terminal/urvncx.cab#version=5400,0,50202,1
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-01 07:53
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="e:\web\xampp\mysql\bin\mysqld-nt --defaults-file=e:\web\xampp\mysql\bin\my.cnf mysql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1224)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(5336)
c:\windows\System32\shdoclc.dll
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
e:\web\xampp\apache\bin\apache.exe
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
c:\windows\SYSTEM32\ATI2EVXX.EXE
e:\web\xampp\FileZillaFTP\FileZillaServer.exe
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
e:\web\xampp\mysql\bin\mysqld-nt.exe
e:\web\xampp\apache\bin\apache.exe
c:\program files\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATE~1.EXE
c:\program files\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
c:\program files\Java\jre1.5.0_12\bin\jucheck.exe
.
**************************************************************************
.
Completion time: 2009-07-01 7:58 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-01 14:58
ComboFix2.txt 2009-06-30 14:14
Pre-Run: 2,967,224,320 bytes free
Post-Run: 3,002,761,216 bytes free
214 --- E O F --- 2009-06-10 10:08
chiaz
Spyware Mod
chiaz
1,218 Posts
2 Jul 2009, 1:33am
OK now I'm going to look for available backup files in your system for termsrv.dll...


Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:

    Code:
    :filefind
termsrv.dll
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.

Note: The log can also be found on your Desktop entitled SystemLook.txt
dippydog
Icrontic Convert
dippydog
11 Posts
2 Jul 2009, 6:36am
Here you go:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 22:35 on 01/07/2009 by Eric (Administrator - Elevation successful)
========== filefind ==========
Searching for "termsrv.dll"
C:\WINDOWS\$NtServicePackUninstall$\termsrv.dll ------ 200192 bytes [04:19 29/03/2005] [11:00 29/08/2002] FE84E045A09A4ABC4DEEF7270448B64E
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll ------ 295424 bytes [03:05 28/03/2005] [06:56 04/08/2004] B60C877D16D9C880B952FDA04ADF16E6
C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\termsrv.dll --a--- 295424 bytes [03:43 20/08/2008] [00:12 14/04/2008] FF3477C03BE7201C294C35F684B3479F
C:\WINDOWS\system32\termsrv.dll --a--- 295424 bytes [03:19 28/03/2005] [02:49 29/11/2008] (Unable to calculate MD5)
-=End Of File=-
chiaz
Spyware Mod
chiaz
1,218 Posts
2 Jul 2009, 9:00am
OK first delete the CFScript file on your computer if you haven't already done so.


Next, please open Notepad
Click Start, then Run
Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Code:
http://icrontic.com/forum/showthread.php?p=694994

Suspect::
c:\windows\system32\termsrv.dll

FCopy::
C:\WINDOWS\ServicePackFiles\i386\termsrv.dll|c:\windows\system32\termsrv.dll
Save the above as CFScript.txt.

4. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.



Post the fresh log in your reply.


**Note**

When ComboFix finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
Ensure you are connected to the internet and click OK on the message box.
A browser will open. DO NOT close that browser.
Simply follow the instructions to copy/paste/send the requested file.
dippydog
Icrontic Convert
dippydog
11 Posts
2 Jul 2009, 4:13pm
Here you go:

FYI, I scanned the windows/system32 directory with ESET after ComboFix was done and it came up clean.

But I'll wait to hear from you before I do anything else.

Thanks.

ComboFix 09-07-01.04 - Eric 07/02/2009 7:58.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.984 [GMT -7:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
file zipped: c:\windows\system32\Suspect_termsrv.dll.vir
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\windows\Installer\182d0.msi
c:\windows\Installer\1c8ff3.msp
c:\windows\Installer\2afae.msp
c:\windows\Installer\546a46bf.msi
c:\windows\Installer\5a7d0.msp
c:\windows\Installer\d321f.msi
c:\windows\Installer\dca74.msi
.
--------------- FCopy ---------------
c:\windows\ServicePackFiles\i386\termsrv.dll --> c:\windows\system32\termsrv.dll
.
((((((((((((((((((((((((( Files Created from 2009-06-02 to 2009-07-02 )))))))))))))))))))))))))))))))
.
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\program files\iTunes
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 05:13 . 2009-06-05 18:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-14 05:09 . 2009-06-14 05:09 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 13:36 . 2009-06-10 13:36 -------- d-----w- c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 02:39 . 2005-03-29 04:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-18 08:00 . 2008-12-04 08:00 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2008-11-29 21:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-11-29 21:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 18:42 . 2007-12-25 17:28 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:44 . 2005-03-28 03:19 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2005-03-28 03:19 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2005-03-28 03:05 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-23 05:30 . 2009-04-23 05:30 34062 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-17 13:03 . 2008-02-04 03:48 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-17 09:58 . 2005-03-28 04:19 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-03-28 03:19 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-08-09 16:42 . 2007-02-06 03:31 3198976 ----a-w- c:\program files\ViewSonicregistration.exe
2003-08-27 21:19 . 2004-05-26 03:21 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2008-12-20 05:22 . 2004-11-19 23:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 05:22 . 2004-11-19 23:25 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-07-16 12:41 . 2004-11-19 23:26 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-12-20 05:22 . 2004-11-19 23:25 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 05:22 . 2006-12-25 02:17 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 05:22 . 2006-12-25 02:17 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2002-08-29 19:00 . 2002-08-29 19:00 94784 --sh--w- c:\windows\twain.dll
.
((((((((((((((((((((((((((((( SnapShot@2009-06-30_14.10.47 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-11-14 23:38 . 2005-11-14 23:38 72192 c:\windows\Installer\faa10.msp
+ 2008-04-12 10:03 . 2008-04-12 10:03 86528 c:\windows\Installer\f6b36e5.msi
+ 2009-05-16 14:43 . 2009-05-16 14:43 24064 c:\windows\Installer\964907a9.msi
+ 2009-03-24 22:22 . 2009-03-24 22:22 78848 c:\windows\Installer\4f74b89a.msp
+ 2009-03-20 02:35 . 2009-03-20 02:35 18944 c:\windows\Installer\4f74b88d.msp
+ 2009-03-20 02:35 . 2009-03-20 02:35 18944 c:\windows\Installer\4f74b885.msp
+ 2009-02-27 04:08 . 2009-02-27 04:08 19456 c:\windows\Installer\2cd21f14.msp
+ 2009-03-06 03:06 . 2009-03-06 03:06 20992 c:\windows\Installer\2cd21efa.msi
+ 2009-03-06 03:06 . 2009-03-06 03:06 52736 c:\windows\Installer\2cd21ef6.msi
+ 2009-03-06 03:05 . 2009-03-06 03:05 60928 c:\windows\Installer\2cd21ef2.msi
+ 2009-03-06 03:05 . 2009-03-06 03:05 32256 c:\windows\Installer\2cd21eee.msi
+ 2009-03-06 03:02 . 2009-03-06 03:02 22528 c:\windows\Installer\2cd21ee3.msi
+ 2003-01-19 03:54 . 2003-01-19 03:54 89600 c:\windows\Installer\15cee8.msi
+ 2005-03-28 03:19 . 2004-08-04 06:56 295424 c:\windows\system32\dllcache\termsrv.dll
+ 2006-06-12 22:15 . 2006-06-12 22:15 323584 c:\windows\Installer\faa26.msp
+ 2004-08-25 15:47 . 2004-08-25 15:47 134656 c:\windows\Installer\fa9fb.msp
+ 2004-03-10 16:01 . 2004-03-10 16:01 812544 c:\windows\Installer\fa961.msp
+ 2007-11-07 22:07 . 2007-11-07 22:07 999936 c:\windows\Installer\f6b36ee.msp
+ 2007-11-07 21:56 . 2007-11-07 21:56 553472 c:\windows\Installer\f6b36eb.msp
+ 2007-11-07 21:58 . 2007-11-07 21:58 908800 c:\windows\Installer\f6b36e7.msp
+ 2007-11-07 21:54 . 2007-11-07 21:54 507392 c:\windows\Installer\f6b36e6.msp
+ 2006-02-04 05:19 . 2006-02-04 05:19 625664 c:\windows\Installer\d782fac.msi
+ 2006-10-01 16:46 . 2006-10-01 16:46 213504 c:\windows\Installer\ae861.msi
+ 2006-03-04 23:31 . 2006-03-04 23:31 192000 c:\windows\Installer\9dbaec1.msi
+ 2003-05-11 04:24 . 2003-05-11 04:24 306176 c:\windows\Installer\9a6c643f.msi
+ 2009-02-10 15:50 . 2009-02-10 15:50 536576 c:\windows\Installer\654892c9.msp
+ 2008-11-12 10:00 . 2008-11-12 10:00 432640 c:\windows\Installer\5ce27907.msi
+ 2007-08-18 13:45 . 2007-08-18 13:45 431104 c:\windows\Installer\4ff50bb.msi
+ 2006-11-05 00:11 . 2006-11-05 00:11 531456 c:\windows\Installer\42f84fbc.msi
+ 2008-07-23 06:20 . 2008-07-23 06:20 110592 c:\windows\Installer\3f269b4.msp
+ 2008-01-24 17:04 . 2008-01-24 17:04 678400 c:\windows\Installer\3f26960.msp
+ 2008-11-24 03:29 . 2008-11-24 03:29 355328 c:\windows\Installer\3c615f3e.msi
+ 2005-11-18 02:48 . 2005-11-18 02:48 434688 c:\windows\Installer\39ac19b1.msi
+ 2005-11-20 06:39 . 2005-11-20 06:40 537600 c:\windows\Installer\3693c03.msi
+ 2009-02-27 04:08 . 2009-02-27 04:08 316928 c:\windows\Installer\2cd21f27.msp
+ 2009-02-13 02:09 . 2009-02-13 02:09 141312 c:\windows\Installer\2cd21f0a.msp
+ 2009-03-06 03:06 . 2009-03-06 03:06 201728 c:\windows\Installer\2cd21efe.msi
+ 2007-07-12 04:29 . 2007-07-12 04:29 190464 c:\windows\Installer\27f1db9.msi
+ 2008-01-13 15:41 . 2008-01-13 15:41 691200 c:\windows\Installer\25c7fea.msi
+ 2007-05-02 14:50 . 2007-05-02 14:50 101376 c:\windows\Installer\242fb152.msi
+ 2008-11-29 23:39 . 2008-11-29 23:39 853504 c:\windows\Installer\2373c1.msi
+ 2006-11-19 14:00 . 2006-11-19 14:00 428544 c:\windows\Installer\203dc55.msi
+ 2006-11-25 02:59 . 2006-11-25 02:59 294912 c:\windows\Installer\1954613b.msi
+ 2006-10-01 23:29 . 2006-10-01 23:29 729600 c:\windows\Installer\17c4a32.msi
+ 2009-04-20 21:59 . 2009-04-20 21:59 219648 c:\windows\Installer\16a34173.msp
+ 2003-01-19 01:54 . 2003-01-19 01:54 264704 c:\windows\Installer\13046.msi
+ 2005-09-20 16:47 . 2005-04-04 09:07 982016 c:\windows\Downloaded Installations\{EA7763E4-20ED-43E2-AEFB-D81D1FC2ED59}\ISScript11.Msi
+ 2005-12-25 18:33 . 2005-04-04 09:07 982016 c:\windows\Downloaded Installations\{872653C6-5DDC-488B-B7C2-CF9E4D9335E5}\ISScript11.Msi
+ 2004-03-07 15:01 . 2004-03-07 15:01 633856 c:\windows\Downloaded Installations\{86EDCFC4-DC59-43FC-BE0A-30A14FC371AA}\isscript.msi
+ 2006-03-25 20:10 . 2005-04-04 08:07 982016 c:\windows\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\ISScript11.Msi
+ 2006-02-01 15:10 . 2005-04-04 08:07 982016 c:\windows\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\ISScript11.Msi
+ 2005-12-25 18:10 . 2005-04-04 09:07 982016 c:\windows\Downloaded Installations\{13616DE2-9795-4910-8C93-80D45AF09658}\ISScript11.Msi
+ 2005-03-28 03:19 . 2004-07-17 17:35 1326080 c:\windows\system32\webfldrs.msi
+ 2005-03-28 03:05 . 2004-07-17 17:35 1326080 c:\windows\ServicePackFiles\i386\webfldrs.msi
+ 2007-01-19 01:14 . 2007-01-19 01:14 3463680 c:\windows\Microsoft.NET\Framework\v1.0.3705\Updates\M928367\M928367Uninstall.msp
+ 2006-08-14 23:54 . 2006-08-14 23:54 7709184 c:\windows\Installer\fa9e3.msp
+ 2006-09-12 21:51 . 2006-09-12 21:51 7611392 c:\windows\Installer\fa9cd.msp
+ 2006-09-28 18:08 . 2006-09-28 18:08 9573888 c:\windows\Installer\fa9b7.msp
+ 2006-02-27 23:31 . 2006-02-27 23:31 1269248 c:\windows\Installer\fa9a2.msp
+ 2006-03-28 22:37 . 2006-03-28 22:37 6956032 c:\windows\Installer\fa98d.msp
+ 2004-09-13 07:35 . 2004-09-13 07:35 1452544 c:\windows\Installer\fa93b.msp
+ 2006-02-22 16:41 . 2006-02-22 16:41 2815488 c:\windows\Installer\fa8e7.msp
+ 2006-07-10 18:21 . 2006-07-10 18:21 4104192 c:\windows\Installer\fa8ca.msp
+ 2006-09-18 23:51 . 2006-09-18 23:51 8415744 c:\windows\Installer\fa8b5.msp
+ 2006-01-28 04:44 . 2006-01-28 04:44 9495552 c:\windows\Installer\fa156db.msi
+ 2007-11-07 21:50 . 2007-11-07 21:50 6055936 c:\windows\Installer\f6b36ed.msp
+ 2007-11-07 22:00 . 2007-11-07 22:00 3407360 c:\windows\Installer\f6b36ec.msp
+ 2007-11-07 21:46 . 2007-11-07 21:46 3010560 c:\windows\Installer\f6b36ea.msp
+ 2007-11-07 22:02 . 2007-11-07 22:02 6473216 c:\windows\Installer\f6b36e9.msp
+ 2007-11-07 22:12 . 2007-11-07 22:12 2533376 c:\windows\Installer\f6b36e8.msp
+ 2007-01-31 02:19 . 2007-01-31 02:19 9472512 c:\windows\Installer\f2397f0.msi
+ 2009-02-22 21:13 . 2009-02-22 21:13 1659392 c:\windows\Installer\e6f7115.msi
+ 2008-09-04 22:52 . 2008-09-04 22:52 4337664 c:\windows\Installer\ddcf97c.msp
+ 2007-01-19 18:01 . 2007-01-19 18:01 8410624 c:\windows\Installer\dc20b5d.msp
+ 2007-01-08 20:31 . 2007-01-08 20:31 7611392 c:\windows\Installer\dc20b48.msp
+ 2006-08-30 00:50 . 2006-08-30 00:50 3210240 c:\windows\Installer\dc20b33.msp
+ 2004-03-07 14:56 . 2004-03-07 14:56 3868160 c:\windows\Installer\d856807.msi
+ 2008-12-02 14:08 . 2008-12-02 14:08 6267392 c:\windows\Installer\d006a0d.msi
+ 2008-12-02 04:03 . 2008-12-02 04:03 1430016 c:\windows\Installer\ad6a01a.msi
+ 2008-04-07 22:32 . 2008-04-07 22:32 8415232 c:\windows\Installer\9dd7f2e8.msp
+ 2008-03-31 23:35 . 2008-03-31 23:35 8309760 c:\windows\Installer\9dd7f2d3.msp
+ 2008-01-11 21:13 . 2008-01-11 21:13 5862912 c:\windows\Installer\989a6fc.msp
+ 2008-01-29 19:00 . 2008-01-29 19:00 7983104 c:\windows\Installer\989a6e6.msp
+ 2004-05-26 03:20 . 2004-05-26 03:20 1014272 c:\windows\Installer\9163a8d5.msi
+ 2009-05-01 06:02 . 2009-05-01 06:02 9628672 c:\windows\Installer\8af59dd4.msp
+ 2009-04-24 19:31 . 2009-04-24 19:31 1425920 c:\windows\Installer\8af59dbe.msp
+ 2007-06-10 03:26 . 2007-06-10 03:26 3226112 c:\windows\Installer\80e84.msi
+ 2003-01-19 03:13 . 2003-01-19 03:13 2652672 c:\windows\Installer\7e69b.msi
+ 2008-10-28 22:59 . 2008-10-28 22:59 8413184 c:\windows\Installer\6b7506b.msp
+ 2008-10-20 17:18 . 2008-10-20 17:18 6474240 c:\windows\Installer\6b75041.msp
+ 2008-01-14 22:08 . 2008-01-14 22:08 8411136 c:\windows\Installer\6b5c91fb.msp
+ 2008-01-14 21:26 . 2008-01-14 21:26 4478464 c:\windows\Installer\6b5c91e6.msp
+ 2008-01-14 21:26 . 2008-01-14 21:26 8362496 c:\windows\Installer\6b5c91d1.msp
+ 2006-01-25 04:05 . 2006-01-25 04:05 8979968 c:\windows\Installer\617a0e0.msi
+ 2006-03-04 05:38 . 2006-03-04 05:38 4337664 c:\windows\Installer\6020b0c.msi
+ 2005-03-29 03:54 . 2005-03-29 03:54 1422848 c:\windows\Installer\5a7d8.msp
+ 2004-12-16 04:26 . 2004-12-16 04:26 5288448 c:\windows\Installer\5820eb1a.msi
+ 2006-04-19 02:59 . 2006-04-19 02:59 2331136 c:\windows\Installer\56faa9f7.msi
+ 2007-09-17 20:33 . 2007-09-17 20:33 8415232 c:\windows\Installer\5222f2a.msp
+ 2009-03-24 22:20 . 2009-03-24 22:20 3276800 c:\windows\Installer\4f74bae8.msp
+ 2009-03-20 02:32 . 2009-03-20 02:32 1007104 c:\windows\Installer\4f74ba37.msp
+ 2009-03-20 02:34 . 2009-03-20 02:34 1867264 c:\windows\Installer\4f74b908.msp
+ 2003-01-22 02:11 . 2003-01-22 02:11 3262464 c:\windows\Installer\4f35a88.msi
+ 2007-03-29 18:34 . 2007-03-29 18:34 8414208 c:\windows\Installer\4c59661a.msp
+ 2007-04-19 22:40 . 2007-04-19 22:40 7979008 c:\windows\Installer\4c596605.msp
+ 2004-02-14 05:00 . 2004-02-14 05:00 2270208 c:\windows\Installer\48a6778e.msi
+ 2004-02-14 04:57 . 2004-02-14 04:57 2358784 c:\windows\Installer\48a67789.msi
+ 2006-12-13 15:32 . 2006-12-13 15:32 5861376 c:\windows\Installer\4441875.msp
+ 2003-05-31 17:19 . 2003-05-31 17:19 4028928 c:\windows\Installer\43128aa.msi
+ 2008-06-30 21:34 . 2008-06-30 21:34 8416768 c:\windows\Installer\3f2699f.msp
+ 2008-05-06 17:30 . 2008-05-06 17:30 9577984 c:\windows\Installer\3f26975.msp
+ 2008-06-20 01:28 . 2008-06-20 01:28 1573376 c:\windows\Installer\3dc80dd7.msp
+ 2008-04-18 21:56 . 2008-04-18 21:56 6215680 c:\windows\Installer\3dc80dae.msp
+ 2007-07-21 20:26 . 2007-07-21 20:26 7574016 c:\windows\Installer\3dc80da3.msp
+ 2005-11-20 06:41 . 2005-11-20 06:41 1453568 c:\windows\Installer\3693c11.msi
+ 2005-11-20 06:40 . 2005-11-20 06:40 1868800 c:\windows\Installer\3693c0a.msi
+ 2005-11-20 06:39 . 2005-11-20 06:39 2892288 c:\windows\Installer\3693bf4.msi
+ 2005-11-20 06:37 . 2005-11-20 06:37 5091840 c:\windows\Installer\3693bed.msi
+ 2008-10-15 23:45 . 2008-10-15 23:45 2330624 c:\windows\Installer\2ea53e3.msi
+ 2009-02-27 04:04 . 2009-02-27 04:04 6777344 c:\windows\Installer\2cd223e8.msp
+ 2009-02-20 01:31 . 2009-02-20 01:31 4572160 c:\windows\Installer\2cd222b7.msp
+ 2009-02-28 08:55 . 2009-02-28 08:55 5142528 c:\windows\Installer\2cd22006.msp
+ 2009-03-06 03:03 . 2009-03-06 03:04 2335744 c:\windows\Installer\2cd21eea.msi
+ 2008-01-13 16:36 . 2008-01-13 16:36 1769984 c:\windows\Installer\28e3976.msi
+ 2008-01-13 16:35 . 2008-01-13 16:35 1767424 c:\windows\Installer\28e3968.msi
+ 2008-06-12 03:13 . 2008-06-12 03:13 7988224 c:\windows\Installer\288fda8d.msp
+ 2008-01-22 13:03 . 2008-01-22 13:03 1840640 c:\windows\Installer\283b43d.msi
+ 2008-01-22 13:02 . 2008-01-22 13:02 1768448 c:\windows\Installer\283b37f.msi
+ 2007-10-30 13:17 . 2007-10-30 13:17 6503936 c:\windows\Installer\2516acb.msp
+ 2007-07-11 10:00 . 2007-07-11 10:00 6743040 c:\windows\Installer\1c38c48a.msp
+ 2007-10-16 13:30 . 2007-10-16 13:30 7641088 c:\windows\Installer\19a2c1cf.msi
+ 2006-09-18 00:41 . 2006-09-18 00:41 1408000 c:\windows\Installer\17b9b0f0.msi
+ 2007-10-10 13:25 . 2007-10-10 13:25 3555328 c:\windows\Installer\16be4c.msi
+ 2009-05-04 14:46 . 2009-05-04 14:46 8299008 c:\windows\Installer\16a3415e.msp
+ 2009-04-24 19:30 . 2009-04-24 19:30 2583552 c:\windows\Installer\16a34153.msp
+ 2009-04-29 22:03 . 2009-04-29 22:03 8404992 c:\windows\Installer\16a34147.msp
+ 2006-03-01 21:15 . 2006-03-01 21:15 3255296 c:\windows\Installer\1466851f.msi
+ 2004-03-07 15:01 . 2004-03-07 15:01 5978112 c:\windows\Installer\142ef.msi
+ 2009-06-14 05:25 . 2009-06-14 05:25 2478080 c:\windows\Installer\13855d56.msi
+ 2009-06-14 05:22 . 2009-06-14 05:22 4074496 c:\windows\Installer\13855c82.msi
+ 2009-06-14 05:17 . 2009-06-14 05:17 1665024 c:\windows\Installer\13855959.msi
+ 2009-06-14 05:17 . 2009-06-14 05:17 8992256 c:\windows\Installer\13855913.msi
+ 2009-06-14 05:13 . 2009-06-14 05:14 3295232 c:\windows\Installer\1385567d.msi
+ 2006-03-29 18:44 . 2006-03-29 18:44 3563520 c:\windows\Installer\12902944.msi
+ 2008-01-13 03:59 . 2008-01-13 03:59 1785344 c:\windows\Installer\11d074b7.msi
+ 2008-01-13 03:59 . 2008-01-13 03:59 2435072 c:\windows\Installer\11d074af.msi
+ 2008-01-13 03:56 . 2008-01-13 03:56 2399744 c:\windows\Installer\11d074a7.msi
+ 2008-01-13 03:53 . 2008-01-13 03:53 2437632 c:\windows\Installer\11d0749e.msi
+ 2008-01-13 03:49 . 2008-01-13 03:49 2999808 c:\windows\Installer\11d07496.msi
+ 2008-01-13 03:43 . 2008-01-13 03:43 3240448 c:\windows\Installer\11d0748e.msi
+ 2008-01-13 03:36 . 2008-01-13 03:36 1888256 c:\windows\Installer\11d07486.msi
+ 2008-01-13 03:26 . 2008-01-13 03:26 1727488 c:\windows\Installer\11d0742f.msi
+ 2008-01-13 03:26 . 2008-01-13 03:26 1765888 c:\windows\Installer\11d0741a.msi
+ 2008-01-13 03:25 . 2008-01-13 03:25 1784832 c:\windows\Installer\11d07413.msi
+ 2008-01-13 03:25 . 2008-01-13 03:25 1723904 c:\windows\Installer\11d0740c.msi
+ 2008-01-13 03:25 . 2008-01-13 03:25 1763840 c:\windows\Installer\11d07405.msi
+ 2008-01-13 03:24 . 2008-01-13 03:24 1728000 c:\windows\Installer\11d073fc.msi
+ 2008-01-13 03:24 . 2008-01-13 03:24 1794560 c:\windows\Installer\11d073f5.msi
+ 2008-01-13 03:24 . 2008-01-13 03:24 1891840 c:\windows\Installer\11d073ee.msi
+ 2008-01-13 03:23 . 2008-01-13 03:23 2084864 c:\windows\Installer\11d073e6.msi
+ 2008-01-13 03:22 . 2008-01-13 03:22 1724928 c:\windows\Installer\11d073de.msi
+ 2008-01-13 03:21 . 2008-01-13 03:21 1885696 c:\windows\Installer\11d073d6.msi
+ 2008-01-13 03:21 . 2008-01-13 03:21 1786880 c:\windows\Installer\11d073cf.msi
+ 2008-01-13 03:21 . 2008-01-13 03:21 1765376 c:\windows\Installer\11d073c8.msi
+ 2008-01-13 03:20 . 2008-01-13 03:20 1733120 c:\windows\Installer\11d073c1.msi
+ 2008-01-13 03:20 . 2008-01-13 03:20 1722880 c:\windows\Installer\11d073ba.msi
+ 2008-01-13 03:20 . 2008-01-13 03:20 1723904 c:\windows\Installer\11d073b1.msi
+ 2008-01-13 03:19 . 2008-01-13 03:20 1722880 c:\windows\Installer\11d073a6.msi
+ 2008-01-13 03:19 . 2008-01-13 03:19 1751040 c:\windows\Installer\11d0739b.msi
+ 2008-01-13 03:19 . 2008-01-13 03:19 1768448 c:\windows\Installer\11d07394.msi
+ 2008-01-13 03:18 . 2008-01-13 03:18 1766400 c:\windows\Installer\11d07386.msi
+ 2008-01-13 03:17 . 2008-01-13 03:17 2166272 c:\windows\Installer\11d0737f.msi
+ 2008-01-13 03:15 . 2008-01-13 03:15 1722880 c:\windows\Installer\11d07378.msi
+ 2008-01-13 03:15 . 2008-01-13 03:15 1960960 c:\windows\Installer\11d07370.msi
+ 2008-01-13 00:58 . 2008-01-13 00:58 1786880 c:\windows\Installer\11d07369.msi
+ 2008-01-13 00:57 . 2008-01-13 00:57 1727488 c:\windows\Installer\11d0735a.msi
+ 2008-01-13 00:56 . 2008-01-13 00:56 2602496 c:\windows\Installer\11d07353.msi
+ 2008-01-13 00:50 . 2008-01-13 00:50 1733632 c:\windows\Installer\11d0734c.msi
+ 2008-01-13 00:49 . 2008-01-13 00:49 1736704 c:\windows\Installer\11d07345.msi
+ 2008-01-13 00:49 . 2008-01-13 00:49 1768448 c:\windows\Installer\11d0733e.msi
+ 2008-01-13 00:49 . 2008-01-13 00:49 1759744 c:\windows\Installer\11d07337.msi
+ 2008-01-13 00:48 . 2008-01-13 00:48 1833472 c:\windows\Installer\11d07330.msi
+ 2008-01-13 00:48 . 2008-01-13 00:48 1723392 c:\windows\Installer\11d07329.msi
+ 2008-01-13 00:48 . 2008-01-13 00:48 1833984 c:\windows\Installer\11d07322.msi
+ 2008-09-02 13:22 . 2008-09-02 13:22 1549312 c:\windows\Installer\11ad8a.msi
+ 2003-01-19 16:00 . 2003-01-19 16:00 4701184 c:\windows\Installer\112664.msi
+ 2004-03-07 15:18 . 2004-03-07 15:18 4068352 c:\windows\Installer\1102c9.msi
+ 2008-01-12 18:24 . 2008-01-12 18:24 1792512 c:\windows\Installer\10714e7b.msi
+ 2005-12-25 18:33 . 2005-10-18 20:01 9935872 c:\windows\Downloaded Installations\{872653C6-5DDC-488B-B7C2-CF9E4D9335E5}\iTunes.msi
+ 2007-02-06 03:38 . 2007-02-06 03:38 5667328 c:\windows\Downloaded Installations\{76F45A69-AA7A-4BC0-BD33-173F963DD2C2}\Multimedia Card Reader Driver.msi
+ 2006-03-25 20:10 . 2006-02-23 23:42 9934848 c:\windows\Downloaded Installations\{59C4F14F-7590-45FC-BE9F-A67AB3590709}\iTunes.msi
+ 2006-02-01 15:10 . 2005-12-21 18:57 9934848 c:\windows\Downloaded Installations\{501BADCD-F8F7-44CB-AC3F-6ED25C1A28B5}\iTunes.msi
+ 2005-12-25 18:10 . 2005-10-12 04:53 9932800 c:\windows\Downloaded Installations\{13616DE2-9795-4910-8C93-80D45AF09658}\iTunes.msi
+ 2005-03-29 04:19 . 2002-08-29 19:00 1325568 c:\windows\$NtServicePackUninstall$\webfldrs.msi
+ 2006-11-27 16:33 . 2006-11-27 16:33 17519104 c:\windows\Installer\fa976.msp
+ 2008-08-19 16:37 . 2008-08-19 16:37 17523712 c:\windows\Installer\ddcf991.msp
+ 2008-01-24 22:56 . 2008-01-24 22:56 13570560 c:\windows\Installer\989a712.msp
+ 2008-01-29 20:14 . 2008-01-29 20:14 17524224 c:\windows\Installer\989a6d1.msp
+ 2008-10-20 17:22 . 2008-10-20 17:22 11758592 c:\windows\Installer\6b75075.msp
+ 2008-10-29 02:17 . 2008-10-29 02:17 17520128 c:\windows\Installer\6b75056.msp
+ 2009-03-09 22:55 . 2009-03-09 22:55 17526272 c:\windows\Installer\654892de.msp
+ 2009-02-26 02:07 . 2009-02-26 02:07 11646464 c:\windows\Installer\654892b1.msp
+ 2006-03-04 05:41 . 2006-03-04 05:41 12388864 c:\windows\Installer\6020b0f.msi
+ 2005-09-25 18:46 . 2005-09-25 18:46 16084480 c:\windows\Installer\51a60b01.msp
+ 2007-04-19 21:15 . 2007-04-19 21:15 17519104 c:\windows\Installer\4c59662f.msp
+ 2006-12-05 16:25 . 2006-12-05 16:25 17520128 c:\windows\Installer\444184e.msp
+ 2007-10-15 06:33 . 2007-10-15 06:33 26646016 c:\windows\Installer\42ee97de.msp
+ 2008-06-20 22:30 . 2008-06-20 22:30 16733184 c:\windows\Installer\3f2698a.msp
+ 2008-08-11 18:51 . 2008-08-11 18:51 15916544 c:\windows\Installer\3dc80de1.msp
+ 2008-08-11 18:49 . 2008-08-11 18:49 22457344 c:\windows\Installer\3dc80dcc.msp
+ 2008-07-30 06:20 . 2008-07-30 06:20 11767296 c:\windows\Installer\3dc80dc2.msp
+ 2008-09-24 19:05 . 2008-09-24 19:05 16381440 c:\windows\Installer\3dc80db8.msp
+ 2008-01-13 15:32 . 2008-01-13 15:32 11395584 c:\windows\Installer\25c8009.msp
+ 2004-01-30 09:21 . 2004-01-30 09:21 15605132 c:\windows\Installer\2447b321.msp
+ 2005-03-28 02:39 . 2005-03-28 02:39 10723328 c:\windows\Installer\1c9047.msp
+ 2007-07-24 22:11 . 2007-07-24 22:11 17521152 c:\windows\Installer\1c5b0eec.msp
+ 2007-06-14 20:47 . 2007-06-14 20:47 17512448 c:\windows\Installer\1c4adb18.msp
+ 2009-05-06 01:06 . 2009-05-06 01:06 17515008 c:\windows\Installer\16a34188.msp
+ 2007-06-15 09:29 . 2007-06-15 09:29 37983232 c:\windows\Installer\11d0747c.msp
+ 2008-01-13 03:35 . 2008-01-13 03:35 10476544 c:\windows\Installer\11d0747b.msi
+ 2005-09-20 16:47 . 2005-09-04 03:26 10065408 c:\windows\Downloaded Installations\{EA7763E4-20ED-43E2-AEFB-D81D1FC2ED59}\iTunes.msi
+ 2004-05-26 03:39 . 2004-05-26 03:51 19479040 c:\windows\Downloaded Installations\{E83562AD-CFFD-4E8B-841F-6B60B5AC2496}\iTunes.msi
+ 2005-06-28 22:21 . 2005-06-28 22:21 21069312 c:\windows\Downloaded Installations\{A89EB61A-717D-4E9B-BB70-7626DF2EB947}\iTunes.msi
+ 2006-03-04 23:30 . 2006-03-04 23:30 21676544 c:\windows\Downloaded Installations\{88C3AC3E-241E-087C-B9E7-A81E0034E964}\merge65_win32_2172.msi
+ 2004-03-07 15:01 . 2004-03-07 15:01 15179776 c:\windows\Downloaded Installations\{86EDCFC4-DC59-43FC-BE0A-30A14FC371AA}\Palm VersaMail(tm).msi
+ 2006-01-25 04:04 . 2006-01-25 04:04 33979904 c:\windows\Downloaded Installations\{00C2E789-F948-4BE1-8167-6E6447DC4CE2}\iPod for Windows 2006-01-10.msi
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-10 28672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-10 45056]
"SunJavaUpdateSched"="c:\program files\Java\jre1.5.0_12\bin\jusched.exe" [2007-05-02 75520]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-23 311296]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"egui"="f:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="f:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Malwarebytes' Anti-Malware"="f:\malware\Malware\mbamgui.exe" [2009-06-17 414992]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-12-02 364544]
c:\documents and settings\Eric\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-9-25 299008]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-8 98304]
WD Anywhere Backup Launcher.lnk - c:\documents and settings\Eric\Application Data\Microsoft\Installer\{B9A81070-616D-4E93-BE02-CEE651343204}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-12-2 17542]
MagicDisc.lnk - f:\program files\MagicDisc\MagicDisc.exe [2008-12-11 575488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Dataviz Messenger.lnk - c:\windows\DvzCommon\DvzMsgr.exe [2003-7-1 24576]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2006-7-27 41042]
WinZip Quick Pick.lnk - c:\program files\WinZip9\WZQKPICK.EXE [2006-10-10 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\M:\0autocheck autochk *
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"e:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"f:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/27/2004 4:18 PM 97920]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [3/9/2008 6:29 PM 8576]
R2 afpa;afpa;c:\windows\system32\drivers\afpa.sys [5/10/2003 12:12 AM 106224]
R2 ekrn;Eset Service;f:\program files\ESET\ESET Smart Security\ekrn.exe [8/18/2008 1:25 PM 468224]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MBAMService;MBAMService;f:\malware\Malware\mbamservice.exe [11/29/2008 2:59 PM 195856]
R3 Dot4Usb HPH09ot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/23/2001 3:24 AM 18864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/29/2008 2:59 PM 19096]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [11/3/2003 6:43 PM 28304]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\System32\drivers\ASUSHWIO.sys --> c:\windows\System32\drivers\ASUSHWIO.sys [?]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [8/23/2004 8:26 PM 10768]
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-07-02 c:\windows\Tasks\Malwarebytes' Scheduled Update for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-07-02 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-07-01 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?sourceid=navclient&ie=UTF-8&hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} - hxxp://www.3dvista.com/downloads/viewer3dv.cab
DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - hxxp://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - hxxps://remote.halw.com/vdesk/terminal/urvncx.cab#version=5400,0,50202,1
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Media Player\npViewpoint.dll
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-02 08:02
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="e:\web\xampp\mysql\bin\mysqld-nt --defaults-file=e:\web\xampp\mysql\bin\my.cnf mysql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1224)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-07-02 8:04
ComboFix-quarantined-files.txt 2009-07-02 15:04
ComboFix2.txt 2009-07-01 14:58
ComboFix3.txt 2009-06-30 14:14
Pre-Run: 2,936,586,240 bytes free
Post-Run: 2,894,266,368 bytes free
430 --- E O F --- 2009-06-10 10:08
Upload was successful
chiaz
Spyware Mod
chiaz
1,218 Posts
2 Jul 2009, 4:16pm
Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

===========================================================

Next, I noticed that you have Viewpoint installed.

Viewpoint Media Player/Manager/Toolbar is considered as foistware instead of malware since it is installed without users approval but doesn't spy or do anything "bad".

I suggest you remove the program now. Go to Start > Settings > Control Panel > Add/Remove Programs and remove the following programs if present.
  • Viewpoint
  • Viewpoint Manager
  • Viewpoint Media Player
  • Viewpoint Toolbar
  • Viewpoint Experience Technology

If you are having trouble removing Viewpoint, I suggest that you use ViewpointKiller. You may download it from this link.

Once you have downloaded ViewpointKiller, unzip it to a convenient location such as your desktop. Run ViewpointKiller, and select File > Do All Killings. Follow the prompts, selecting Yes or No, depending on which selection you are most comfortable with. A logfile will be created in the folder you unzipped ViewpointKiller to, please paste the contents here if you ran the tool.

===========================================================

Now, please go HERE to run Panda ActiveScan 2.0
  • Click the big green Scan now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • Once the scan is completed, please hit the notepad icon next to the text Export to:
  • Save it to a convenient location such as your Desktop
  • Post the contents of the ActiveScan.txt in your next reply, the ViewPointKiller log if you ran it, as well as let me know how your PC is running now.
dippydog
Icrontic Convert
dippydog
11 Posts
3 Jul 2009, 5:47am
Well, I ran Panda. It took almost 3 1/2 hours.

The log is over 19,000 lines. If you want me to post it I will, but most of what it's listing - like 98% - are cookies.

Let me know.
chiaz
Spyware Mod
chiaz
1,218 Posts
3 Jul 2009, 8:10am
Copy and paste here the lines that were not cookies.
dippydog
Icrontic Convert
dippydog
11 Posts
3 Jul 2009, 4:19pm
Here you go. The PC seems to be running pretty good. ESET did pop up with warnings on the 4 "suspect" files when Panda/IE was scanning them. Two appear to be quarantined, but the other two look like they're in restore points. Should those be removed?

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-07-02 21:41:19
PROTECTIONS: 1
MALWARE: 97
SUSPECTS: 4
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET Smart Security 3.0 3.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00000431 adware/ist.istbar Adware No 1 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\istsvc
00001888 adware/dyfuca Adware No 0 Yes No hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer
00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\saie_gdf.dat
00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\saie_kyf.dat
00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\saieau.dat
00020302 adware/ncase Adware No 0 Yes No c:\windows\system32\fleok
00036016 adware/topmoxie Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683}
00047863 adware/ieplugin Adware No 0 Yes No c:\windows\kwv2.dat
00047863 adware/ieplugin Adware No 0 Yes No HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}
00065260 adware/ipinsight Adware No 0 Yes No c:\windows\inf\polall1r.inf
00125640 spyware/search3 Spyware No 0 Yes No c:\program files\search3 toolbar
00125640 spyware/search3 Spyware No 0 Yes No hkey_local_machine\software\classes\search3.search3
00125640 spyware/search3 Spyware No 0 Yes No hkey_local_machine\software\classes\search3.search3menu button
00125640 spyware/search3 Spyware No 0 Yes No hkey_local_machine\software\classes\search3.search3toggle button
00125640 spyware/search3 Spyware No 0 Yes No hkey_classes_root\search3.search3
00125640 spyware/search3 Spyware No 0 Yes No hkey_classes_root\search3.search3menu button
00125640 spyware/search3 Spyware No 0 Yes No hkey_classes_root\search3.search3toggle button
00219288 adware/clickalchemy Adware No 0 Yes No c:\windows\inf\alchem.inf
00219288 adware/clickalchemy Adware No 0 Yes No c:\windows\alchem.ini
01260840 Trj/Downloader.PME Virus/Trojan No 1 Yes No C:\Documents and Settings\Eric\Local Settings\Application Data\Wildtangent\Cdacache\00\00\2B.DAT
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2435\A0244313.SYS
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2435\A0244123.SYS
;===================================================================================================================================================================================
SUSPECTS
Sent Location ,
;===================================================================================================================================================================================
No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2435\A0244106.EXE ,
No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2436\A0244491.DLL ,
No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon.exe.vir ,
No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\termsrv.dll.vir ,
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ,
;===================================================================================================================================================================================
;===================================================================================================================================================================================
chiaz
Spyware Mod
chiaz
1,218 Posts
3 Jul 2009, 4:33pm
Hi, don't worry about those infected System Restore points, they are relatively harmless unless you actually proceed to restore those points. We will deal with them later.


For now, please go to My Computer > Control Panel > Add/Remove Programs and uninstall the following if found:
Istbar
Search3
WildTangent

Reboot even if not prompted to do so.

=====================================================

Now close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

Open *notepad* and copy/paste the text in the quotebox below into it:

Code:
KILLALL::

Registry::
[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\istsvc]
[-hkey_local_machine\software\microsoft\windows\currentversion\app management\arpcache\internet optimizer]
[-HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\{6685509E-B47B-4f47-8E16-9A5F3A62F683}]
[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{886DDE35-E585-11D0-A707-000000521958}]
[-key_local_machine\software\classes\search3.search3]
[-hkey_local_machine\software\classes\search3.search3menu button]
[-hkey_local_machine\software\classes\search3.search3toggle button]
[-hkey_classes_root\search3.search3]
[-hkey_classes_root\search3.search3menu button]
[-hkey_classes_root\search3.search3toggle button]

File::
c:\windows\system32\saie_gdf.dat
c:\windows\system32\saie_kyf.dat
c:\windows\system32\saieau.dat
c:\windows\kwv2.dat
c:\windows\inf\polall1r.inf
c:\windows\inf\alchem.inf
c:\windows\alchem.ini

Folder::
c:\windows\system32\fleok
c:\program files\search3 toolbar
C:\Documents and Settings\Eric\Local Settings\Application Data\Wildtangent\
Save this as CFScript.txt, in the same location as ComboFix.exe which is on the Desktop.




Refering to the picture above, drag CFScript.txt into ComboFix.exe


When finished (your computer may reboot first), it shall produce a log for you at C:\ComboFix.txt


Please copy and paste the ComboFix.txt and a new Panda ActiveScan log in your next reply please.


*Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall. Altering this script in any way could damage your computer.*
dippydog
Icrontic Convert
dippydog
11 Posts
4 Jul 2009, 2:10am
I have to post the combofix log in two entries. It's more than 50,000 characters.

Here's combofix - part 1.

ComboFix 09-07-02.02 - Eric 07/03/2009 11:28.4 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1535.1009 [GMT -7:00]
Running from: c:\documents and settings\Eric\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Eric\Desktop\CFScript.txt
AV: ESET Smart Security 3.0 *On-access scanning disabled* (Updated) {E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}
FW: ESET Personal firewall *disabled* {E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}
* Resident AV is active

FILE ::
"c:\windows\alchem.ini"
"c:\windows\inf\alchem.inf"
"c:\windows\inf\polall1r.inf"
"c:\windows\kwv2.dat"
"c:\windows\system32\saie_gdf.dat"
"c:\windows\system32\saie_kyf.dat"
"c:\windows\system32\saieau.dat"
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\01.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\02.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\03.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\04.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\05.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\06.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\07.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\08.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\09.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\0A.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\0B.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\0C.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\0D.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\0E.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\0F.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\10.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\11.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\12.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\13.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\14.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\15.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\16.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\17.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\18.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\19.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\1A.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\1B.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\1C.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\1D.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\1E.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\1F.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\20.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\21.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\22.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\23.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\24.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\25.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\26.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\27.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\28.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\29.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\2A.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\2B.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\2C.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\2D.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\2E.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\2F.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\30.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\00\00\31.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\cdacache.odds
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\default_config.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\fmod.dll
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\driver\animation.cfg
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\driver\default.skin
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\driver\driver.MD3
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\driver\driver.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\effects.ffe
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\fox_data\manifest.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\fox_data\tracks.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\fox_data\vehicles.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\aipip.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\aipipa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\cardamage.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\cardamagea.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\debris.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\debrisa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\dirt.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\dust.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\dusta.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\dustnofadea.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\fire.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\glass.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\glassa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\glowred.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\glowrev.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\glowwhite.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\grass.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\grassa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\hl.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\hll.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\hlr.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\lamp.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\leaderpip.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\mirror.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\mirrora.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\needle.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\needlea.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\numbers_1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\numbers_1a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\numbers_2.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\numbers_2a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\numbers_3.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\numbers_3a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\playerpip.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\refglowred.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\refglowrev.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\refglowwhite.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\reflamp.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\reflectglass.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\refsunglow.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\rpm.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\rpma.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\shadow.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\shadowa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\smoke.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\spark.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\sun.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\sunglow.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\topbar.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\topbara.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\tread.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\treada.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\water.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\watera.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\white.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\wrongway.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\images\wrongwaya.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\cursor.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\cursora.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\dodgelogo.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\dodgelogoa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\envmap.dds
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\eurostile.ini
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\eurostile.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\eurostilea.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\logo.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\logoa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\panel1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\panel1a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\panel2.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\panel2a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\pbar.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\pbara.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\sponsor.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\sponsora.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\wtlogo.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\menus\wtlogoa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\music\menu.ogg
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\music\tracks\intro.ogg
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky1.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky1b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky1t.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky2.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky2.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky2b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky2t.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky3.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky3.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky3b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sky\sky3t.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\click.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\bigglass.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\crash.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\dirt.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\grass.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\gravel.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\hitsign.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\lowcrash.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\paved.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\scrape.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\scrapehit.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\skiddirt.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\skidgrass.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\skidgravel.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\skidpavement.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\skidwater.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\smallglass.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\softtire.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\tirehit.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\water.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\wind.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\effect\wood.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\engine\15c.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\engine\30c.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\engine\40c.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\engine\45c.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\engine\idle.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\engine\ignition.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\losttrick.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\over.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\shift.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\2nd.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\3rd.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\3widehi.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\3widelow.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\3widemid.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\4th.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\boxed.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\clearhigh.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\clearlow.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\clrall.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\clrall2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\clrall3.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\clrall4.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\crash.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\crash2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\crash3.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\crash4.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\first.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\first2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\gohigh.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\golow.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\green.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\green2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\heavy.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\heavy2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\inside.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\inside2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\inside3.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\inside4.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\inside5.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\inside6.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\lastlap.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\movedown.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\movedown2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\moveup.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\moveup2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\outside.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\outside2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\outside3.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\outside4.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\pileup.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\pileup2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\slowcar.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\slowhi.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\slowlo.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\stayhigh.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\staylow.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\stillthere.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\straighten.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\warn.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\warn2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\warn3.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\warn4.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\spotter\wrongway.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\start1.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\start2.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\tally.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\sounds\trick.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\anim_crowd.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\anim_crowd01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\anim_crowd01a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\anim_crowda.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\banner_01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\billboard_01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\billboard_02.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\billboard_03.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\billboard_04.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\billboard_05.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\billboard_06.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\brand_01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\build01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\build02.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\bus_blue.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\bus_green.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\bus_white.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\car_a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\car_b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\car_c.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\car_d.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\crowd.wav
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\envi_car.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\environment.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\environment_t.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\environment1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\environment2.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\environment3.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\fence_in.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\fence02_b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\fence03_b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\fire1sp.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\grass_01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\ground.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\hollywood_hotel.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\hollywood_hotela.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\last_tracknames.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\last_tracknamesa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\lastfence01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\lastfence01_a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\lastfence02.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\lastfence02_a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\lastfence03.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\lastfence03_a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\light.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\Pole Position.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refapron02.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refapron02a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refapron1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refapron2.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refapron3.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refapron3a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refaprona.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refdarkpave.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refdarkpavea.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refpit1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refroad_01a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refroad_02.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refroad_3.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refroad1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\refroad2.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\shadow_1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\shadow_1a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\shadow_2a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\shadow2g.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\shadow2ga.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\shadowmap.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\shadowmapa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\stand_a01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\stand_a02.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\stand_a03.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\stand_a04.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\stand_b01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\stand_small_b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\station.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\station_01.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\station_02.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\station_03.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\station_04.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\station_a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\station_blue.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\tent.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\track_shadow.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\tree1.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\tree2.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\truck_a.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\truck_b.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\truck_c.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\truck_d.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\truck_e.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\textures\truck_red.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track1_half_mile\collision.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track1_half_mile\mesh.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track1_half_mile\minimap.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track1_half_mile\minimapa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track1_half_mile\preview.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track1_half_mile\preview.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track1_half_mile\previewa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track2_one_mile\collision.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track2_one_mile\mesh.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track2_one_mile\minimap.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track2_one_mile\minimapa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track2_one_mile\preview.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track2_one_mile\preview.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track2_one_mile\previewa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track3_two_mile\collision.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track3_two_mile\mesh.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track3_two_mile\minimap.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track3_two_mile\minimapa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track3_two_mile\preview.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track3_two_mile\preview.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\tracks\track3_two_mile\previewa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai1.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai10.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai2.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai3.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai4.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai5.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai6.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai7.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai8.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\aicurve\ai9.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\body.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\bodydamage.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\brake.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\bumper.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\bumper2.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\chassis.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\collision.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_black.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_blackd.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_blue.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_blued.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_red.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_redd.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_white.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_whited.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_yellow.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\color_yellowd.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\dbumper.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\dbumper2.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\dchassis.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\dhood.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\engine.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\fl.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\flrim.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\fr.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\frrim.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\glass.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\glass.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\glassa.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\glassbroke.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\glassbrokea.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\grip.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\griptransition.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\hood.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\interior.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\interior.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\interiora.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\latdamp.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\lgrip.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\lod1.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\lod2.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\lod3.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\lwdamp.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\reflect.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\reflectd.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\reflectplain.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\reflectplaind.png
dippydog
Icrontic Convert
dippydog
11 Posts
4 Jul 2009, 2:12am
Here's combofix part 2, and the Panda scan log below that.

c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\schassis.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\sfl.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\sfr.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\steer.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\torque.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\upgrades.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\vehicle.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\dodge\wdamp.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\body.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\brake.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\chassis.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\collision.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\fl.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\fr.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\grip.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\griptransition.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\latdamp.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\lgrip.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\lod1.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\lod2.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\lod3.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\lwdamp.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\reflect.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\schassis.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\sfl.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\sfr.mdl
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\steer.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\torque.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\upgrades.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\vehicle.dat
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\wdamp.crv
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\vehicles\pacecar\wheel.png
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\MEDIA\wheeleffects.ffe
c:\documents and settings\Eric\Local Settings\Application Data\Wildtangent\\Cdacache\rtp\RTP.exe
c:\program files\search3 toolbar
c:\program files\search3 toolbar\Cache\hilight.bmp
c:\program files\search3 toolbar\Cache\mglass.bmp
c:\program files\search3 toolbar\Cache\search3tb0300.cfg
c:\program files\search3 toolbar\Uninstall.exe
c:\windows\alchem.ini
c:\windows\inf\alchem.inf
c:\windows\inf\polall1r.inf
c:\windows\Installer\27f1db9.msi
c:\windows\Installer\d782fac.msi
c:\windows\kwv2.dat
c:\windows\system32\fleok
c:\windows\system32\saie_gdf.dat
c:\windows\system32\saie_kyf.dat
c:\windows\system32\saieau.dat
.
((((((((((((((((((((((((( Files Created from 2009-06-03 to 2009-07-03 )))))))))))))))))))))))))))))))
.
2009-07-03 00:18 . 2008-06-20 00:24 28544 ----a-w- c:\windows\system32\drivers\pavboot.sys
2009-07-03 00:17 . 2009-07-03 00:17 -------- d-----w- c:\program files\Panda Security
2009-07-03 00:02 . 2009-07-03 00:02 410984 ----a-w- c:\windows\system32\deploytk.dll
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\program files\iTunes
2009-06-14 05:20 . 2009-06-14 05:20 -------- d-----w- c:\documents and settings\All Users\Application Data\{8CD7F5AF-ECFA-4793-BF40-D8F42DBFF906}
2009-06-14 05:13 . 2009-06-05 18:42 2060288 ----a-w- c:\windows\system32\usbaaplrc.dll
2009-06-14 05:09 . 2009-06-14 05:09 75048 ----a-w- c:\documents and settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 8.2.0.23\SetupAdmin.exe
2009-06-10 13:36 . 2009-06-10 13:36 -------- d-----w- c:\windows\SxsCaPendDel
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-30 02:39 . 2005-03-29 04:29 552 ----a-w- c:\windows\system32\d3d8caps.dat
2009-06-18 08:00 . 2008-12-04 08:00 3561743 ----a-w- c:\documents and settings\All Users\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\mbam-setup.exe
2009-06-17 18:27 . 2008-11-29 21:59 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 18:27 . 2008-11-29 21:59 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-06-05 18:42 . 2007-12-25 17:28 39424 ----a-w- c:\windows\system32\drivers\usbaapl.sys
2009-05-07 15:44 . 2005-03-28 03:19 344064 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:31 . 2005-03-28 03:19 668160 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:31 . 2005-03-28 03:05 81920 ------w- c:\windows\system32\ieencode.dll
2009-04-23 05:30 . 2009-04-23 05:30 34062 ----a-w- c:\documents and settings\Eric\Application Data\Move Networks\ie_bin\Uninst.exe
2009-04-17 13:03 . 2008-02-04 03:48 3218 ----a-w- c:\windows\system32\PerfStringBackup.TMP
2009-04-17 09:58 . 2005-03-28 04:19 1846656 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 15:11 . 2005-03-28 03:19 584192 ----a-w- c:\windows\system32\rpcrt4.dll
2006-08-09 16:42 . 2007-02-06 03:31 3198976 ----a-w- c:\program files\ViewSonicregistration.exe
2003-08-27 21:19 . 2004-05-26 03:21 36963 ----a-r- c:\program files\Common Files\SM1updtr.dll
2008-12-20 05:22 . 2004-11-19 23:26 54368 ----a-w- c:\program files\mozilla firefox\components\jsd3250.dll
2008-12-20 05:22 . 2004-11-19 23:25 172136 ----a-w- c:\program files\mozilla firefox\components\xpinstal.dll
2005-07-16 12:41 . 2004-11-19 23:26 44153 ----a-w- c:\program files\mozilla firefox\components\inspector.dll
2008-12-20 05:22 . 2004-11-19 23:25 67688 ----a-w- c:\program files\mozilla firefox\components\jar50.dll
2008-12-20 05:22 . 2006-12-25 02:17 34944 ----a-w- c:\program files\mozilla firefox\components\myspell.dll
2008-12-20 05:22 . 2006-12-25 02:17 46712 ----a-w- c:\program files\mozilla firefox\components\spellchk.dll
2002-08-29 19:00 . 2002-08-29 19:00 94784 --sh--w- c:\windows\twain.dll
.
((((((((((((((((((((((((((((( SnapShot_2009-07-02_15.03.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-07-03 18:38 . 2009-07-03 18:38 16384 c:\windows\temp\Perflib_Perfdata_460.dat
+ 2009-07-03 00:02 . 2009-07-03 00:02 148888 c:\windows\system32\javaws.exe
+ 2009-07-03 00:02 . 2009-07-03 00:02 144792 c:\windows\system32\javaw.exe
+ 2009-07-03 00:02 . 2009-07-03 00:02 144792 c:\windows\system32\java.exe
+ 2009-07-03 00:03 . 2009-07-03 00:03 873472 c:\windows\Installer\719920a.msi
+ 2009-07-03 00:02 . 2009-07-03 00:02 536576 c:\windows\Installer\7199203.msi
+ 2009-07-02 23:56 . 2009-07-02 23:56 417792 c:\windows\Installer\71991fc.msi
+ 2009-04-17 15:59 . 2009-04-17 15:59 128256 c:\windows\Downloaded Program Files\as2stubie.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-07-06 68856]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="c:\program files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-06-01 94208]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2007-03-01 2321600]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ASUS Probe"="c:\program files\ASUS\Probe\AsusProb.exe" [2002-12-06 617984]
"WinampAgent"="c:\program files\Winamp\winampa.exe" [2003-12-13 33792]
"type32"="c:\program files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 114688]
"SM1BG"="c:\windows\SM1BG.EXE" [2003-08-27 94208]
"Share-to-Web Namespace Daemon"="c:\program files\Hewlett-Packard\PhotoSmart\HP Share-to-Web\hpgs2wnd.exe" [2001-07-03 57344]
"Microsoft Works Update Detection"="c:\program files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe" [2002-07-10 28672]
"IntelliPoint"="c:\program files\Microsoft IntelliPoint\point32.exe" [2003-05-15 163840]
"HPDJ Taskbar Utility"="c:\windows\system32\spool\drivers\w32x86\3\hpztsb04.exe" [2001-08-23 196608]
"CXMon"="c:\program files\Hewlett-Packard\PhotoSmart\Photo Imaging\Hpi_Monitor.exe" [2001-08-10 45056]
"SunJavaUpdateSched"="e:\program files\Java\jre6\bin\jusched.exe" [2009-07-03 148888]
"HPHmon03"="c:\windows\system32\hphmon03.exe" [2001-08-23 311296]
"NeroFilterCheck"="c:\program files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 155648]
"CanonMyPrinter"="c:\program files\Canon\MyPrinter\BJMyPrt.exe" [2006-03-22 1191936]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-11 39792]
"Acrobat Assistant 8.0"="e:\program files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2007-05-11 624248]
"AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2009-05-14 177472]
"egui"="f:\program files\ESET\ESET Smart Security\egui.exe" [2008-08-18 1447168]
"PWRISOVM.EXE"="f:\program files\PowerISO\PWRISOVM.EXE" [2008-11-02 167936]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2009-05-27 413696]
"iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2009-06-05 292136]
"Malwarebytes' Anti-Malware"="f:\malware\Malware\mbamgui.exe" [2009-06-17 414992]
"WD Button Manager"="WDBtnMgr.exe" - c:\windows\system32\WDBtnMgr.exe [2008-12-02 364544]
c:\documents and settings\Eric\Start Menu\Programs\Startup\
HotSync Manager.lnk - c:\program files\Palm\HOTSYNC.EXE [2003-9-25 299008]
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-10-8 98304]
WD Anywhere Backup Launcher.lnk - c:\documents and settings\Eric\Application Data\Microsoft\Installer\{B9A81070-616D-4E93-BE02-CEE651343204}\NewShortcut4_3A95A0BFA90C41A28DFACEDE7630C4FB.exe [2008-12-2 17542]
MagicDisc.lnk - f:\program files\MagicDisc\MagicDisc.exe [2008-12-11 575488]
c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office10\OSA.EXE [2001-2-13 83360]
Dataviz Messenger.lnk - c:\windows\DvzCommon\DvzMsgr.exe [2003-7-1 24576]
Quicken Scheduled Updates.lnk - c:\program files\Quicken\bagent.exe [2003-10-2 57344]
Monitor Apache Servers.lnk - c:\program files\Apache Group\Apache2\bin\ApacheMonitor.exe [2006-7-27 41042]
WinZip Quick Pick.lnk - c:\program files\WinZip9\WZQKPICK.EXE [2006-10-10 118784]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\session manager]
BootExecute REG_MULTI_SZ autocheck autochk /p \??\M:\0autocheck autochk *
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Palm\\HOTSYNC.EXE"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Real\\RealPlayer\\RealPlay.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\SmartFTP\\SmartFTP.exe"=
"c:\\Program Files\\SmartFTP Client 2.0\\SmartFTP.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Macromedia\\Dreamweaver 8\\Dreamweaver.exe"=
"e:\\Program Files\\Adobe\\Adobe Dreamweaver CS3\\Dreamweaver.exe"=
"f:\\Program Files\\uTorrent\\uTorrent.exe"=
"c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
R0 pavboot;pavboot;c:\windows\system32\drivers\pavboot.sys [7/2/2009 5:18 PM 28544]
R0 Si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [8/27/2004 4:18 PM 97920]
R1 vcdrom;Virtual CD-ROM Device Driver;c:\windows\system32\drivers\VCdRom.sys [3/9/2008 6:29 PM 8576]
R2 afpa;afpa;c:\windows\system32\drivers\afpa.sys [5/10/2003 12:12 AM 106224]
R2 ekrn;Eset Service;f:\program files\ESET\ESET Smart Security\ekrn.exe [8/18/2008 1:25 PM 468224]
R2 IntuitUpdateService;Intuit Update Service;c:\program files\Common Files\Intuit\Update Service\IntuitUpdateService.exe [10/10/2008 5:45 AM 13088]
R2 MBAMService;MBAMService;f:\malware\Malware\mbamservice.exe [11/29/2008 2:59 PM 195856]
R3 Dot4Usb HPH09ot4Usb HPH09;c:\windows\system32\drivers\hphius09.sys [8/23/2001 3:24 AM 18864]
R3 MBAMProtector;MBAMProtector;c:\windows\system32\drivers\mbam.sys [11/29/2008 2:59 PM 19096]
R3 urvpndrv;F5 Networks VPN Adapter;c:\windows\system32\drivers\urvpndrv.sys [11/3/2003 6:43 PM 28304]
S0 ntcdrdrv;ntcdrdrv;c:\windows\system32\DRIVERS\ntcdrdrv.sys --> c:\windows\system32\DRIVERS\ntcdrdrv.sys [?]
S3 ASUSHWIO;ASUSHWIO;\??\c:\windows\System32\drivers\ASUSHWIO.sys --> c:\windows\System32\drivers\ASUSHWIO.sys [?]
S3 f5ipfw;F5 Networks StoneWall Filter;c:\windows\system32\drivers\urfltw2k.sys [8/23/2004 8:26 PM 10768]
.
Contents of the 'Scheduled Tasks' folder
2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-08-29 19:34]
2009-07-03 c:\windows\Tasks\Malwarebytes' Scheduled Update for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-07-03 c:\windows\Tasks\Malwarebytes' Scheduled Scan for Eric.job
- f:\malware\Malware\mbam.exe [2008-11-29 18:27]
2009-07-03 c:\windows\Tasks\WGASetup.job
- c:\windows\system32\KB905474\wgasetup.exe [2009-04-01 05:18]
.
.
------- Supplementary Scan -------
.
uStart Page = hxxp://www.google.com/ig?sourceid=navclient&ie=UTF-8&hl=en
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mSearch Bar =
uInternet Settings,ProxyOverride = localhost;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: Append to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert link target to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert link target to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert selected links to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
IE: Convert selected links to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
IE: Convert selection to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
IE: Convert selection to existing PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
IE: Convert to Adobe PDF - e:\program files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
Trusted Zone: turbotax.com
DPF: DirectAnimation Java Classes - file://c:\windows\Java\classes\dajava.cab
DPF: Microsoft XML Parser for Java - file://c:\windows\Java\classes\xmldso.cab
DPF: {2D72C39D-53F6-4AEA-A9DB-1298429DA974} - hxxp://www.3dvista.com/downloads/viewer3dv.cab
DPF: {94837F90-A2CA-4A8A-9DA0-B5438EC563EA} - hxxp://install.wildtangent.com/cda/islandrally/ActiveLauncher/ActiveLauncherSetup.cab
DPF: {E66D35B8-E70D-42A6-B1F5-DB784CB92B15} - hxxps://remote.halw.com/vdesk/terminal/urvncx.cab#version=5400,0,50202,1
FF - ProfilePath - c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Google
FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/ig?hl=en
FF - plugin: c:\documents and settings\Eric\Application Data\Mozilla\Firefox\Profiles\xyeup4yl.Default User\extensions\OberonGameHost@OberonGames.com\platform\WINNT_x86-msvc\plugins\npOberonGameHost.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPJPI150_12.dll
FF - plugin: c:\program files\Java\jre1.5.0_12\bin\NPOJI610.dll
FF - HiddenExtension: Java Console: No Registry Reference - f:\program files\Mozilla Firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
.
**************************************************************************
catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-07-03 11:41
Windows 5.1.2600 Service Pack 2 FAT NTAPI
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
[HKEY_LOCAL_MACHINE\System\ControlSet002\Services\MySQL]
"ImagePath"="e:\web\xampp\mysql\bin\mysqld-nt --defaults-file=e:\web\xampp\mysql\bin\my.cnf mysql"
.
--------------------- DLLs Loaded Under Running Processes ---------------------
- - - - - - - > 'winlogon.exe'(1224)
c:\windows\system32\Ati2evxx.dll
- - - - - - - > 'explorer.exe'(5076)
c:\windows\System32\shdoclc.dll
c:\program files\Common Files\Microsoft Shared\Ink\SKCHUI.DLL
.
------------------------ Other Running Processes ------------------------
.
c:\windows\SYSTEM32\ATI2EVXX.EXE
e:\web\xampp\apache\bin\apache.exe
c:\program files\COMMON FILES\APPLE\MOBILE DEVICE SUPPORT\BIN\APPLEMOBILEDEVICESERVICE.EXE
c:\program files\BONJOUR\MDNSRESPONDER.EXE
e:\web\xampp\FileZillaFTP\FileZillaServer.exe
e:\program files\Java\jre6\bin\jqs.exe
c:\windows\SYSTEM32\ATI2EVXX.EXE
c:\program files\COMMON FILES\MICROSOFT SHARED\VS7DEBUG\MDM.EXE
e:\web\xampp\mysql\bin\mysqld-nt.exe
e:\web\xampp\apache\bin\apache.exe
c:\program files\COMMON FILES\ADAPTEC SHARED\CREATECD\CREATE~1.EXE
c:\program files\HEWLETT-PACKARD\PHOTOSMART\HP SHARE-TO-WEB\HPGS2WNF.EXE
c:\program files\iPod\bin\iPodService.exe
c:\program files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
c:\program files\WD\WD Anywhere Backup\MemeoBackup.exe
.
**************************************************************************
.
Completion time: 2009-07-03 11:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-07-03 18:45
ComboFix2.txt 2009-07-02 15:05
ComboFix3.txt 2009-07-01 14:58
ComboFix4.txt 2009-06-30 14:14
Pre-Run: 2,627,190,784 bytes free
Post-Run: 2,609,496,064 bytes free
695 --- E O F --- 2009-06-10 10:08


Panda Scan ---

;***********************************************************************************************************************************************************************************
ANALYSIS: 2009-07-03 18:03:39
PROTECTIONS: 1
MALWARE: 91
SUSPECTS: 4
;***********************************************************************************************************************************************************************************
PROTECTIONS
Description Version Active Updated
;===================================================================================================================================================================================
ESET Smart Security 3.0 3.0 Yes Yes
;===================================================================================================================================================================================
MALWARE
Id Description Type Active Severity Disinfectable Disinfected Location
;===================================================================================================================================================================================
00124890 Adware/IPInsight Adware No 0 Yes No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2438\A0245446.INF
00124890 Adware/IPInsight Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\INF\alchem.inf.vir
00139443 Adware/Transponder Adware No 0 Yes No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2438\A0245447.INF
00139443 Adware/Transponder Adware No 0 Yes No C:\Qoobox\Quarantine\C\WINDOWS\INF\polall1r.inf.vir
01260840 Trj/Downloader.PME Virus/Trojan No 1 Yes No C:\Qoobox\Quarantine\C\Documents and Settings\Eric\Local Settings\Application Data\Wildtangent\Cdacache\00\00\2B.dat.vir
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2438\A0245455.SYS
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2435\A0244313.SYS
02885963 Rootkit/Booto.C Virus/Worm No 0 Yes No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2435\A0244123.SYS
;===================================================================================================================================================================================
SUSPECTS
Sent Location ?
;===================================================================================================================================================================================
No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2435\A0244106.EXE ?
No C:\System Volume Information\_restore{48ED0761-39E6-4D2B-B2C0-E468CD8F537A}\RP2436\A0244491.DLL ?
No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\winlogon.exe.vir ?
No C:\Qoobox\Quarantine\C\WINDOWS\SYSTEM32\termsrv.dll.vir ?
;===================================================================================================================================================================================
VULNERABILITIES
Id Severity Description ?
;===================================================================================================================================================================================
;===================================================================================================================================================================================
chiaz
Spyware Mod
chiaz
1,218 Posts
4 Jul 2009, 2:50am
Java is outdated on your PC.

Please download JavaRa to your desktop and unzip it to its own folder
  • Run JavaRa.exe, pick the language of your choice and click Select. Then click Remove Older Versions.
  • Accept any prompts.
  • Open JavaRa.exe again and select Search For Updates.
  • Select Update Using Sun Java's Website then click Search and click on the Open Webpage button. Download and install the latest Java Runtime Environment (JRE) version for your computer.

==========================================================

It's time to remove ComboFix.

Go to to Start > Run
Type in box

combofix /u

Note: the space between the X and the /u

Press Enter.

This command will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.



Let me know how your PC is running now.
dippydog
Icrontic Convert
dippydog
11 Posts
4 Jul 2009, 4:34pm
ComboFix is uninstalled.

Computer seems to be running pretty good.

Does that take care of everything?
chiaz
Spyware Mod
chiaz
1,218 Posts
4 Jul 2009, 5:18pm
That's great to hear.

Glad we could be of assistance! The help you received here was free.

This topic is now closed. If you wish it reopened, please send a Private Message to Trogan with a link to your thread.

If you are not the user who started this thread, you must start your own Thread instead
_______________________________

Have we helped you with any issues you have had with your PCs or other items? If so, you can now help us by Joining Team 93 and fold for a cure.
Similar Threads
Thread Thread Starter Forum Replies Last Post
Help! winlogon.exe infected by ursnif.a chance Resolved / Inactive 6 16 Jul 2009 9:19pm
spy.Ursnif.A inside termsrv.dll and Winlogon.exe Kavukamari Resolved / Inactive 25 7 Jul 2009 2:52am
Yet another NOD32 winlogon.exe ursnif.a virus aznintent Resolved / Inactive 8 2 Jul 2009 9:30pm
winlogon problem homer933 General Hardware 9 25 Jul 2007 7:39pm
SVCHOST.EXE or WINLOGON.EXE (is this a problem?) jon_jon Resolved / Inactive 1 12 Jul 2004 6:03am

Go Back   Icrontic Forums > Malware Help > Spyware & Virus Removal > Resolved / Inactive
Reload this Page Having problem with spy.Ursnif.A inside termsrv.dll and Winlogon.exe
Jump to
This Thread Search this Thread
Search this Thread:

Advanced Search

Today's Posts - Mark All Read - Contact Us - Icrontic.com - Archive - Top

Current time: 2:45am (GMT)
Powered by vBulletin®
Copyright ©2000 - 2009, Jelsoft Enterprises Ltd.
Get Vanilla instead. Trust me.