Virusss Trojan Maleware its something PLEASE helP! :(

SweepeR

ok you guys, I got a big issue on my hands. My computer somehow got a trojan or something of that nature. I dono waht on earth it was/is. My computer wont run under regular mode. Only safe mode. if i go under regular mode, my computers desktop is in desktop recovery mode which goes into the blue system error screen within 15 seconds and it happens just before 3 diff "Internet Explorer Errors" pop up...you know the ones that say Send or Dont Send bla bla bla.

I ran all sorts of virus stuff removed whatever it needed to but apparently it still is a bit jacked up. For the mean time, I have this HiJack Log. PLLLLLLLLLLLLLLLLEASE SOMEONE HELP ME! i bet of you guys.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:05:03 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode with network support
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\HIJACK.EXE
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\ntos.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1443D5E6-F92E-DA36-0BBA-0744992443D0} - C:\Program Files\Qexwmyjw\tuvdreyc.dll
O2 - BHO: Flash Module - {17D8505B-D9FD-465d-9B26-7696BE35D182} - sockver1.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
O4 - HKLM\..\Run: [runner1] "C:\WINDOWS\tsitra27.exe" 61A847B5BBF72810358B2B27128065E9C084320161C4661227A755E9C2933154389A
O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
O4 - HKLM\..\Run: [rqdsfslw] "rundll32.exe" "C:\Program Files\rqdsfslw\bozwzwve.dll",Init
O4 - HKLM\..\Run: [mtedwtcb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mtedwtcb.dll"
O4 - HKLM\..\Run: [SC2] "C:\Program Files\SecCenter\scprot4.exe"
O4 - HKLM\..\Run: [rkhftvpz] "C:\Program Files\Dlglejpn\rkhftvpz.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe
O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe
O4 - HKCU\..\Run: [WinAble] "C:\Program Files\WinAble\winable.exe"
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149475700296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149714605984
O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
O21 - SSODL: gbiwWZm - {18BF280B-B215-82A1-6490-EF0655F596D7} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: MS Internet Countermeasures Framework2b (ICF) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\LuComServer_3_4.EXE
O23 - Service: LiveUpdate Notice - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9301 bytes

SweepeR

PUMP PLZ HELP!

peku006

Hi SweepeR and welcome to Icrontic Spyware & Virus Removal
Please give me some time to look it over and I will get back to you as soon as possible.

peku006

Hi again
How long have you been running the PC without an anti-virus program or third-party software firewall?

You aren't running Anti Virus Software. Please download and install one of them first!!!

Use an Anti Virus Software - It is very important that your computer has an anti-virus software running on your machine. This alone can save you a lot of trouble with malware in the future. Here are some Anti Virus products which are free for personal use and most used:
AntiVir
Avast
BitDefender

Update your Anti Virus Software - It is imperitive that you update your Anti virus software at least once a week (Even more if you wish). If you do not update your anti virus software then it will not be able to catch any of the new variants that may come out.

As you did this, we can begin with the fix.

Please download SDFix by AndyManchesta and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer into Safe Mode by doing the following:

• Restart your computer.
• After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
• Instead of Windows loading as normal, a menu with options should appear.
• Select the first option, to run Windows in "Safe Mode", then press "Enter".
• Choose your usual account.

Once in Safe Mode, please do the following:

• Open the extracted folder and double-click RunThis.bat to start the script.
• Type "Y" to begin the cleanup process.
• It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process, then display "Finished", press any key to end the script and load your desktop icons.
• Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).

---

Please download the ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that you have to download.

• Save it to your desktop.
• Double-click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.

After you have completed the above, please provide:
Report.txt
Combofix.txt

SweepeR

hey thanks a lot for trying to help me out here sorry but I can't check this right now (work) I will be back on my computer within a couple hours. I haven't had a virus program for many months now. I am running the kaspersky online scan at the moment and so far its maybe not even a few % through and it found 1 virus so far. HOepfully its done by the time im home from work.

BTW: does safe mode allow installs? because i tried norton 2 days ago and it says computer has prevented installations under safe mode for ur protection adn so forth. I do have McCafee i believe it is on a CD that did a sccan and cleaned out whatevre it found. I found i think 19 adawares and about 5 trojans but the issue still exists past that. I will be back within a few hours with an update regarding the steps u just gave me, thanks a lot

SweepeR

I can't run in normal mode. normal mode lasts 10 seconds TOPs. im nt joking either. once the desktop icons load the computer goes off into the system error. I jsut ran kaspersky online scan it found 35 virus and 120 infected opbjects but it doesnt have a quarintine option. how can i fix this? they are all trojans and worms.

waydorr

let it run in normal mode after all that

SweepeR

first thing first, i wna thank peku like no tomorrow cuz as of now my reg mode is up and running but i am getting a Mic Windows error saying "the system has recovereed from a serious error' "send dont send' bla bla and it keeps coming up wehn i click dont send. now i got one of Services and controller app has ecnounterred a problem and needs to close same error as the Windows one. ima post the 2 logs now.

SweepeR

this is the combo fix, where is the SD one? i found the one that goes into C drive but noe the one taht goes into clip board.

ComboFix 07-11-02.3 - Owner 2007-11-02 20:36:01.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.785 [GMT -7:00]
Running from: C:\Documents and Settings\Owner\Desktop\Virus Issues\ComboFix.exe
.
ADS - svchost.exe: deleted 48128 bytes in 2 streams.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Documents and Settings\Owner\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Owner\Local Settings\Application Data\n.ini
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Temporary
C:\Program Files\WinAble
C:\WINDOWS\spoolzv.exe
C:\WINDOWS\system32\0575454641.dll
C:\WINDOWS\system32\drivers\asc3550p.sys
C:\WINDOWS\system32\drivers\ip6fw.sys
C:\WINDOWS\system32\drivers\runtime2.sys
C:\WINDOWS\system32\ehgvjcfi
C:\WINDOWS\system32\ehgvjcfi\bg1.gif
C:\WINDOWS\system32\ehgvjcfi\bgtop.gif
C:\WINDOWS\system32\ehgvjcfi\bottom1.gif
C:\WINDOWS\system32\ehgvjcfi\ehgvjcfi1.exe
C:\WINDOWS\system32\ehgvjcfi\ehgvjcfi2.exe
C:\WINDOWS\system32\ehgvjcfi\ehgvjcfi3.exe
C:\WINDOWS\system32\ehgvjcfi\essentials.gif
C:\WINDOWS\system32\ehgvjcfi\icon1.ico
C:\WINDOWS\system32\ehgvjcfi\install1.gif
C:\WINDOWS\system32\ehgvjcfi\left1.gif
C:\WINDOWS\system32\ehgvjcfi\li.gif
C:\WINDOWS\system32\ehgvjcfi\logo.gif
C:\WINDOWS\system32\ehgvjcfi\main.htm
C:\WINDOWS\system32\ehgvjcfi\mainframe.htm
C:\WINDOWS\system32\ehgvjcfi\reinstall1.gif
C:\WINDOWS\system32\ehgvjcfi\right1.gif
C:\WINDOWS\system32\ehgvjcfi\s1.htm
C:\WINDOWS\system32\ehgvjcfi\s2.htm
C:\WINDOWS\system32\ehgvjcfi\s3.htm
C:\WINDOWS\system32\ehgvjcfi\SMTop1.gif
C:\WINDOWS\system32\ehgvjcfi\SMTop2.gif
C:\WINDOWS\system32\ehgvjcfi\SMTop3.gif
C:\WINDOWS\system32\ehgvjcfi\SMTop4.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_off.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_off_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_on.gif
C:\WINDOWS\system32\ehgvjcfi\soft1_on_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_off.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_off_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_on.gif
C:\WINDOWS\system32\ehgvjcfi\soft2_on_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_off.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_off_ext.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_on.gif
C:\WINDOWS\system32\ehgvjcfi\soft3_on_ext.gif
C:\WINDOWS\system32\ehgvjcfi\softbottom_off.gif
C:\WINDOWS\system32\ehgvjcfi\softbottom_on.gif
C:\WINDOWS\system32\ehgvjcfi\softleft_off.gif
C:\WINDOWS\system32\ehgvjcfi\softleft_on.gif
C:\WINDOWS\system32\ehgvjcfi\top1.gif
C:\WINDOWS\system32\ehgvjcfi\top2.gif
C:\WINDOWS\system32\ehgvjcfi\turnoff1.gif
C:\WINDOWS\system32\ehgvjcfi\turnon1.gif
C:\WINDOWS\system32\m1ax1d1213216143v.exe
C:\WINDOWS\system32\mstaskmgr.exe
C:\WINDOWS\system32\newmaxxsv234.exe
C:\WINDOWS\system32\pgd.dll
C:\WINDOWS\system32\wsnpoem
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

---

\LEGACY_ASC3550P

---

\LEGACY_DRIVER

---

\LEGACY_RUNTIME

---

\LEGACY_SYSLIBRARY

---

\asc3550p

---

\Driver

---

\runtime

---

\SysLibrary

((((((((((((((((((((((((( Files Created from 2007-10-03 to 2007-11-03 )))))))))))))))))))))))))))))))
.
2007-11-02 20:35 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-11-02 19:34 <DIR> d

---

C:\WINDOWS\ERUNT
2007-11-02 19:28 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-11-02 19:07 <DIR> d

---

C:\Program Files\Avira
2007-11-02 19:07 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Avira
2007-11-02 13:30 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2007-11-02 13:30 <DIR> d

---

C:\WINDOWS\LastGood.Tmp
2007-11-02 13:30 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-29 13:24 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2007-10-29 13:24 <DIR> d

---

C:\KAV
2007-10-28 18:59 <DIR> d

---

C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-28 18:04 <DIR> d

---

C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP
2007-10-28 18:03 <DIR> d

---

C:\Program Files\Windows Sidebar
2007-10-28 18:02 <DIR> d

---

C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-28 18:01 117,248 --a

---

C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-28 18:01 15,360 --a

---

C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-28 18:01 14,848 --a

---

C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-28 18:01 13,824 --a

---

C:\WINDOWS\system32\drivers\SSFS041A.sys
2007-10-28 18:00 <DIR> d

---

C:\Program Files\Webroot
2007-10-28 18:00 <DIR> d

---

C:\Documents and Settings\Owner\Application Data\Webroot
2007-10-28 17:59 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-28 17:58 <DIR> d

---

C:\Program Files\Norton Internet Security
2007-10-28 17:55 <DIR> d

---

C:\Program Files\Symantec
2007-10-28 17:55 123,952 --a

---

C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-10-28 17:55 60,808 --a

---

C:\WINDOWS\system32\S32EVNT1.DLL
2007-10-28 17:29 <DIR> d

---

C:\Program Files\rqdsfslw
2007-10-28 17:29 <DIR> d

---

C:\Program Files\Qexwmyjw
2007-10-28 17:29 <DIR> d

---

C:\Program Files\Dlglejpn
2007-10-28 17:29 10,240 --a

---

C:\WINDOWS\system32\npdl.exe
2007-10-28 17:26 8,192 --a

---

C:\WINDOWS\system32\drivers\changer.sys
2007-10-28 17:26 8,192 --a--c--- C:\WINDOWS\system32\dllcache\changer.sys
2007-10-24 21:59 <DIR> d

---

C:\Program Files\iPhoneBrowser
2007-10-23 03:01 <DIR> d

---

C:\Program Files\MSXML 6.0
2007-10-23 01:41 <DIR> d

---

C:\Program Files\touchFree
2007-10-22 19:38 <DIR> d

---

C:\Program Files\MSBuild
2007-10-22 19:33 <DIR> d

---

C:\WINDOWS\system32\XPSViewer
2007-10-22 19:32 <DIR> d

---

C:\Program Files\Reference Assemblies
2007-10-22 19:31 14,048

---

C:\WINDOWS\system32\spmsg2.dll
2007-10-13 00:10 44,544 --a

---

C:\WINDOWS\system32\msxml4a.dll
2007-10-13 00:09 <DIR> d

---

C:\Program Files\Common Files\MAGIX Shared
2007-10-13 00:09 <DIR> d

---

C:\MAGIX
2007-10-13 00:09 1,089,536 --a

---

C:\WINDOWS\system32\ROBOEX32.DLL
2007-10-13 00:09 85,504 --a

---

C:\WINDOWS\system32\HtmlWH.dll
2007-10-13 00:09 49,152 --a

---

C:\WINDOWS\system32\INETWH32.dll
2007-10-13 00:08 <DIR> d

---

C:\WINDOWS\system32\MAGIX
2007-10-13 00:08 638,976 --a

---

C:\WINDOWS\system32\mgxoschk.dll
2007-10-11 00:15 <DIR> d

---

C:\Program Files\iPhoneRingToneMaker
2007-10-10 23:37 <DIR> d

---

C:\Program Files\Mightsoft
2007-10-10 23:37 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-10 22:45 <DIR> d

---

C:\Temp
2007-10-10 22:45 <DIR> d

---

C:\Documents and Settings\Owner\Application Data\Syntrillium
2007-10-10 22:43 <DIR> d

---

C:\Program Files\coolpro2
2007-10-10 08:28 584,192

---

c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-03 03:42

---

d

---

w C:\Program Files\Common Files\Symantec Shared
2007-10-29 00:56 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-29 00:56 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-29 00:56

---

d

---

w C:\Documents and Settings\All Users\Application Data\Symantec
2007-10-29 00:26 381,952 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-24 05:22

---

d

---

w C:\Program Files\AIM6
2007-10-24 05:22

---

d

---

w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-24 05:19

---

d

---

w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-22 05:45 50,592 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 07:15

---

d

---

w C:\Documents and Settings\Owner\Application Data\iPhoneRingToneMaker
2007-10-07 03:42

---

d

---

w C:\Program Files\iTunes
2007-10-02 02:31

---

d

---

w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-10-01 23:51

---

d

---

w C:\Program Files\iPod
2007-10-01 23:49

---

d

---

w C:\Program Files\QuickTime
2007-10-01 23:49

---

d

---

w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-01 23:48

---

d

---

w C:\Program Files\Apple Software Update
2007-10-01 23:47

---

d

---

w C:\Program Files\Common Files\Apple
2007-10-01 23:47

---

d

---

w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-06 20:28 30,336 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
.
C:\WINDOWS\system32\drivers\tcpip.sys ... is infected !! (additional data below)
359,808 2006-01-13 02:28:14 C:\WINDOWS\$hf_mig$\KB913446\SP2GDR\tcpip.sys
360,448 2006-01-13 17:07:08 C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys
359,808 2006-04-20 11:51:50 C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys
360,576 2006-04-20 12:18:35 C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys
340,480 2006-04-20 11:38:44 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
359,040 2004-08-04 06:14:40 C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys
332,928 2003-06-09 01:58:32 C:\WINDOWS\$NtUninstallKB913446_0$\tcpip.sys
359,808 2006-01-13 02:28:14 C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys
340,480 2006-01-13 01:13:17 C:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys
359,040 2004-08-04 06:14:40 C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
381,952 2007-10-29 00:26:14 C:\WINDOWS\system32\dllcache\tcpip.sys
381,952 2007-10-29 00:26:18 C:\WINDOWS\system32\drivers\tcpip.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1443D5E6-F92E-DA36-0BBA-0744992443D0}]
2007-10-28 17:29 106496 --a

---

C:\Program Files\Qexwmyjw\tuvdreyc.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
2007-10-28 18:01 116088 --a

---

C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 20:00]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 16:38]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"POINTER"="point32.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-17 21:48]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-06-29 06:24]
"rkhftvpz"="C:\Program Files\Dlglejpn\rkhftvpz.exe" [2007-10-28 17:29]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-08-24 22:07]
"isCfgWiz"="C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" [2007-08-24 02:49]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-08-24 21:53]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 17:16]
"SDFix"="C:\SDFix\SDFix\RunThis.bat /second" []
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 17:14]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Valve\Steam\Steam.exe -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\E]
\Shell\AutoRun\command - E:\bootcd\wintools\autorun.exe
*Newly Created Service* - COMHOST
*Newly Created Service* - SSMDRV
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 20:42:18
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-02 20:43:12 - machine was rebooted
.
--- E O F ---

SweepeR

ok i dono if this is the right one...it was REPORT under SDFix folder...


SDFix: Version 1.113
Run by Owner on Fri 11/02/2007 at 08:26 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\SDFix\SDFix
Safe Mode:
Checking Services:
Name:
Driver
runtime
SysLibrary
ImagePath:
\??\C:\WINDOWS\system32\kernelw.sys
\??\C:\WINDOWS\System32\drivers\runtime.sys
\??\C:\WINDOWS\system32\DefLib.sys
Driver - Deleted
runtime - Deleted
SysLibrary - Deleted

Infected tcpip.sys Found!
tcpip.sys File Locations:
"C:\WINDOWS\$hf_mig$\KB913446\SP2GDR\tcpip.sys" 359808 01/12/2006 07:28 PM
"C:\WINDOWS\$hf_mig$\KB913446\SP2QFE\tcpip.sys" 360448 01/13/2006 10:07 AM
"C:\WINDOWS\$hf_mig$\KB917953\SP2GDR\tcpip.sys" 359808 04/20/2006 04:51 AM
"C:\WINDOWS\$hf_mig$\KB917953\SP2QFE\tcpip.sys" 360576 04/20/2006 05:18 AM
"C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys" 340480 04/20/2006 04:38 AM
"C:\WINDOWS\$NtUninstallKB913446$\tcpip.sys" 359040 08/03/2004 11:14 PM
"C:\WINDOWS\$NtUninstallKB913446_0$\tcpip.sys" 332928 06/08/2003 06:58 PM
"C:\WINDOWS\$NtUninstallKB917953$\tcpip.sys" 359808 01/12/2006 07:28 PM
"C:\WINDOWS\$NtUninstallKB917953_0$\tcpip.sys" 340480 01/12/2006 06:13 PM
"C:\WINDOWS\ServicePackFiles\i386\tcpip.sys" 359040 08/03/2004 11:14 PM
"C:\WINDOWS\system32\dllcache\tcpip.sys" 381952 10/28/2007 05:26 PM
"C:\WINDOWS\system32\drivers\tcpip.sys" 381952 10/28/2007 05:26 PM
Detected Patched Files Are Listed Below:
C:\WINDOWS\system32\dllcache\tcpip.sys
C:\WINDOWS\system32\drivers\tcpip.sys
Note: SDFix Does Not Repair This File!
If No Clean Copies Are Found Download The Below Update To Restore Original Files:
http://www.microsoft.com/technet/security/bulletin/ms06-032.mspx

Infected ip6fw.sys Found!
ip6fw.sys File Locations:
"C:\WINDOWS\ServicePackFiles\i386\ip6fw.sys" 29056 08/03/2004 11:00 PM
"C:\WINDOWS\system32\drivers\ip6fw.sys" 29056 08/03/2004 11:00 PM
Infected File Listed Below:
C:\WINDOWS\system32\drivers\ip6fw.sys
Trojan File copied to Backups Folder
Attempting to replace ip6fw.sys with original version...
Unable To Replace Infected File!

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...

Normal Mode:
Checking Files:
Trojan Files Found:
C:\RECYCLER\S-1-5-21-343818398-606747145-682003330-1003\Dc3\SDFix\backups\1.dllb - Deleted
C:\RECYCLER\S-1-5-21-343818398-606747145-682003330-1003\Dc3\SDFix\backups\v4xd6.gam5e - Deleted
C:\RECYCLER\S-1-5-21-343818398-606747145-682003330-1003\Dc3\SDFix\backups\v5xd2.g3ame - Deleted
C:\RECYCLER\S-1-5-21-343818398-606747145-682003330-1003\Dc3\SDFix\backups\v5xd4.ga2me - Deleted
C:\RECYCLER\S-1-5-21-343818398-606747145-682003330-1003\Dc3\SDFix\backups\v6xdt4.game - Deleted

Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.

C:\WINDOWS\system32\ntoskrnl.exe
No streams found.


Final Check:
catchme 0.3.1253 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-02 20:57:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aic78x5]
"ErrorControl"=dword:00000000
"Start"=dword:00000002
"Group"="SCSI miniport"
"Tag"=dword:00000055
"Type"=dword:00000001
scanning hidden registry entries ...
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\CancelAutoplay\CLSID]
"\30 A?E?2?A?E?D?8?F?-?5?6?9?5?-?4?a?6?d?-?9?7?0?9?-?1?4?E?5?1?C?D?1?7?B?1?C?'?"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:0000023b
scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 0

Remaining Services:

---

Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
Remaining Files:

---

File Backups: - C:\SDFix\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 11 Jun 2007 4,348 A.SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Wed 10 Oct 2007 24,576 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL1272.tmp"
Tue 30 Jan 2007 5,481,984 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL1752.tmp"
Tue 30 Jan 2007 4,251,648 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL1797.tmp"
Tue 30 Jan 2007 3,236,864 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL1865.tmp"
Thu 8 Feb 2007 2,238,976 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL1920.tmp"
Tue 30 Jan 2007 2,074,624 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL2249.tmp"
Tue 30 Jan 2007 2,245,120 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL2552.tmp"
Thu 8 Feb 2007 1,579,008 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL3712.tmp"
Thu 8 Feb 2007 806,912 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL3766.tmp"
Tue 30 Jan 2007 1,261,568 ...H. --- "C:\Documents and Settings\Owner\Desktop\~WRL3809.tmp"
Fri 12 Nov 2004 37,376 ...H. --- "C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe"
Tue 23 Oct 2007 0 A..H. --- "C:\WINDOWS\SoftwareDistribution\Download\573b8bee2d25ffedabde94732ae6dbae\BIT1.tmp"
Tue 23 Oct 2007 28,160 ...H. --- "C:\Documents and Settings\Owner\Desktop\Edwins Files\School Work\~WRL1552.tmp"
Finished!

SweepeR

I am running avira right now and so far its found 4 detections and 1 warning at just under 1 %. I will update once it is done.

PS: sorry im posting so many posts, im trying to give you as much info as possible to help u out more cuz i greatly appreciate it.

SweepeR

I just got a Integrity threat detected with a Yellow triangle iwht a "!" in it right by the clock on the bottom right. syas clear here to fix it and last i recall thats how my comp crashed wiht this issue i have now..

SweepeR

neone there? loll

peku006

Hi SweepeR
Please do the following...

You're running an Beta version of Hijackthis. Please update it

• Download HJTInstall.exe to your Desktop.
• Doubleclick HJTInstall.exe to install it.
• By default it will install to C:\Program Files\Trend Micro\HijackThis .
• Click on Install.
• It will create a HijackThis icon on the desktop.

---

Please disable SpySweeper as it may interfere with the fix.

• Open SpySweeper
• Click Options
• Click program options
• Uncheck load at windows startup
• On the left click shields and uncheck all there
• Uncheck home page shield
• Uncheck automaticly restore default without notifiction
• Close SpySweeper

Once your log is clean you can re-enable those settings in SpySweeper.

---

• Click Start
• Go to Control Panel
• Go to Add/Remove Programs
• Find and click Remove for the following (if present):
  
  Dlglejpn
  Qexwmyjw
  rqdsfslw
  BraveSentry

---

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDO WS\system32\ntos.exe,
  O2 - BHO: (no name) - {1443D5E6-F92E-DA36-0BBA-0744992443D0} - C:\Program Files\Qexwmyjw\tuvdreyc.dll
  O2 - BHO: Flash Module - {17D8505B-D9FD-465d-9B26-7696BE35D182} - sockver1.dll (file missing)
  O2 - BHO: CBho Class - {F369DA09-FADE-44CB-987F-E2E0DEF51BCA} - C:\WINDOWS\system32\pgd.dll
  O4 - HKLM\..\Run: [SystemSv12] C:\WINDOWS\system32\newmaxxsv234.exe
  O4 - HKLM\..\Run: [mstaskmgr.exe] C:\WINDOWS\system32\mstaskmgr.exe
  O4 - HKLM\..\Run: [runner1] "C:\WINDOWS\tsitra27.exe" 61A847B5BBF72810358B2B27128065E9C084320161C4661227 A755E9C2933154389A
  O4 - HKLM\..\Run: [startdrv] C:\WINDOWS\Temp\startdrv.exe
  O4 - HKLM\..\Run: [rqdsfslw] "rundll32.exe" "C:\Program Files\rqdsfslw\bozwzwve.dll",Init
  O4 - HKLM\..\Run: [mtedwtcb] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\mtedwtcb.dll"
  O4 - HKLM\..\Run: [SC2] "C:\Program Files\SecCenter\scprot4.exe"
  O4 - HKLM\..\Run: [rkhftvpz] "C:\Program Files\Dlglejpn\rkhftvpz.exe"
  O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
  O4 - HKLM\..\Run: [spoolsvv] C:\WINDOWS\system32\spoolsvv.exe
  O4 - HKCU\..\Run: [Service Pack 1] C:\WINDOWS\system32\vedxg6ame4.exe
  O4 - HKCU\..\Run: [Brave-Sentry] C:\Program Files\BraveSentry\BraveSentry.exe
  O4 - HKCU\..\Run: [noskrnl] C:\WINDOWS\noskrnl.exe
  O4 - HKCU\..\Run: [Firewall auto setup] C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe
  O4 - HKCU\..\Run: [WinAble] "C:\Program Files\WinAble\winable.exe"
  O20 - Winlogon Notify: partnershipreg - C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
  O21 - SSODL: gbiwWZm - {18BF280B-B215-82A1-6490-EF0655F596D7} - (no file)
  O23 - Service: FCI - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
  O23 - Service: MS Internet Countermeasures Framework2b (ICF) - Unknown owner - C:\WINDOWS\system32\svchost.exe:ext.exe
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

---

Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop FCI
sc stop ICF
sc delete FCI
sc delete ICF
exit

Double click FixServices.bat. A window will open and close. This is normal.

---

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\npdl.exe
C:\WINDO WS\system32\ntos.exe
C:\WINDOWS\system32\pgd.dll
C:\WINDOWS\system32\newmaxxsv234.exe
C:\WINDOWS\system32\mstaskmgr.exe
C:\WINDOWS\system32\mstaskmgr.exe
C:\WINDOWS\tsitra27.exe
C:\Documents and Settings\All Users\Application Data\mtedwtcb.dll
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\noskrnl.exe
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe

Folder::
C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP
C:\Temp
C:\Program Files\rqdsfslw
C:\Program Files\Qexwmyjw
C:\Program Files\Dlglejpn
C:\Program Files\BraveSentry

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1443D5E6-F92E-DA36-0BBA-0744992443D0}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"rkhftvpz"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot)

---

Download F-Secure Blacklight (fsbl.exe) to the desktop from here.

Open it and click Accept Agreement.
Click Scan.
After the scan is complete, click Next, then Exit.
It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan)
Save the log to your desktop.

---

Download Superantispyware (SAS) free home version

http://www.superantispyware.com/supe...freevspro.html

• Install it and double-click the icon on your desktop to run it.
• It will ask if you want to update the program definitions, click Yes.
• Under Configuration and Preferences, click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked:
• Close browsers before scanning
• Scan for tracking cookies
• Terminate memory threats before quarantining.
• Please leave the others unchecked.
• Click the Close button to leave the control center screen.
• On the main screen, under Scan for Harmful Software click Scan your computer.
• On the left check C:\Fixed Drive.
• On the right, under Complete Scan, choose Perform Complete Scan.
• Click Next to start the scan. Please be patient while it scans your computer.
• After the scan is complete a summary box will appear. Click OK.
• Make sure everything in the white box has a check next to it, then click Next.
• It will quarantine what it found and if it asks if you want to reboot, click Yes.
• To retrieve the removal information for me please do the following:
• After reboot, double-click the SUPERAntispyware icon on your desktop
• Click Preferences. Click the Statistics/Logs tab.
• Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
• It will open in your default text editor (such as Notepad/Wordpad).
• Please highlight everything in the notepad, then right-click and choose copy.
• Click close and close again to exit the program.
• Please paste that information here for me with a new HijackThis log.

After you have completed the above, please provide:
Combofix.txt
fsbl.log
Superantispyware.log
new HijackThis log

SweepeR

hey Im stuck on this so far...im doin teh spysweeper step u told me but im stuck on the 4 bullet point which is the shield part i believe. I can't find those to uncheck and so forth. Also I coudlnt find the 4 files to remove you told me to do so.

1 more question...i have norton on the computer, its not in add/remove part to uninstall, it isnt in my START up and when i go to manually delete it says another program is using it but I dono how to get rid of it. what should i do?

peku006

Hi

hey Im stuck on this so far...im doin teh spysweeper step u told me but im stuck on the 4 bullet point which is the shield part i believe. I can't find those to uncheck and so forth. Also I coudlnt find the 4 files to remove you told me to do so..

nothing to worry about.

Please do my others,steps



Download and run the Norton Removal Tool

SweepeR

SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 11/06/2007 at 06:30 PM
Application Version : 3.9.1008
Core Rules Database Version : 3339
Trace Rules Database Version: 1340
Scan type : Complete Scan
Total Scan Time : 01:17:50
Memory items scanned : 382
Memory threats detected : 0
Registry items scanned : 7583
Registry threats detected : 0
File items scanned : 91040
File threats detected : 34
Adware.Tracking Cookie
C:\Documents and Settings\Owner\Cookies\owner@cgi-bin[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-dig.hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@questionmarket[2].txt
C:\Documents and Settings\Owner\Cookies\owner@tacoda[1].txt
C:\Documents and Settings\Owner\Cookies\owner@ehg-kasperskylab.hitbox[1].txt
C:\Documents and Settings\Owner\Cookies\owner@specificclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@collective-media[2].txt
C:\Documents and Settings\Owner\Cookies\owner@atdmt[2].txt
C:\Documents and Settings\Owner\Cookies\owner@crackserialkeygen[1].txt
C:\Documents and Settings\Owner\Cookies\owner@msnportal.112.2o7[1].txt
C:\Documents and Settings\Owner\Cookies\owner@adinterax[2].txt
C:\Documents and Settings\Owner\Cookies\owner@hitbox[2].txt
C:\Documents and Settings\Owner\Cookies\owner@adopt.euroclick[2].txt
C:\Documents and Settings\Owner\Cookies\owner@ad[2].txt
C:\Documents and Settings\Owner\Cookies\owner@doubleclick[1].txt
Malware.Ultimate Defender
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EHGVJCFI\EHGVJCFI1.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EHGVJCFI\EHGVJCFI2.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HNUERNNN\HNUERNNN1.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HNUERNNN\HNUERNNN2.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HNUERNNN\HNUERNNN3.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0157670.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0157671.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0157672.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP565\A0159435.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP565\A0159436.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP565\A0159437.EXE
Unclassified.Unknown Origin
C:\RANDOM PROGRAMS 2\AHEAD NERO ULTRA EDITION\SERIAL-CRACKS\ORION_KEYGEN.EXE
G:\RANDOM PROGRAMS\AHEAD NERO ULTRA EDITION\SERIAL-CRACKS\ORION_KEYGEN.EXE
Trojan.BraveSentry
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0115494.EXE
Malware.MalwareStopper
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0115496.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0115497.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0115498.DLL
Trojan.Downloader-Gen/MobRules
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0152673.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0158782.DLL

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:47:10 PM, on 11/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1443D5E6-F92E-DA36-0BBA-0744992443D0} - C:\Program Files\Qexwmyjw\tuvdreyc.dll (file missing)
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [rkhftvpz] "C:\Program Files\Dlglejpn\rkhftvpz.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [isCfgWiz] "C:\Program Files\Common Files\Symantec Shared\OPC\{C86EA115-FACD-4aa8-BFA2-398C677D0936}\SYMCUW.exe" -G:{77CCBE0B-A541-49a9-883E-14F8337EC861} -T:Config -REBOOT
O4 - HKLM\..\Run: [ifejqrir] "rundll32.exe" "C:\Program Files\ifejqrir\etsnypmp.dll",Init
O4 - HKLM\..\Run: [SC2] "C:\Program Files\SecCenter\scprot4.exe"
O4 - HKLM\..\Run: [hkbylexu] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\hkbylexu.dll"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149475700296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149714605984
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O21 - SSODL: gbiwWZm - {18BF280B-B215-82A1-6490-EF0655F596D7} - (no file)
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 9056 bytes

11/06/07 13:46:37 [Info]: BlackLight Engine 1.0.67 initialized
11/06/07 13:46:37 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/06/07 13:46:37 [Note]: 7019 4
11/06/07 13:46:37 [Note]: 7005 0
11/06/07 13:46:43 [Note]: 7006 0
11/06/07 13:46:43 [Note]: 7011 384
11/06/07 13:47:49 [Note]: 7026 0
11/06/07 13:47:50 [Note]: 7026 0
11/06/07 13:47:57 [Note]: FSRAW library version 1.7.1024
11/06/07 14:10:25 [Note]: 7007 0

ComboFix 07-11-02.3 - Owner 2007-11-06 12:55:16.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.583 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE::
C:\DOCUME~1\Owner\LOCALS~1\Temp\winlogon.exe
C:\Documents and Settings\All Users\Application Data\mtedwtcb.dll
C:\Documents and Settings\All Users\Documents\Settings\partnership.dll
C:\WINDO WS\system32\ntos.exe
C:\WINDOWS\noskrnl.exe
C:\WINDOWS\system32\mstaskmgr.exe
C:\WINDOWS\system32\newmaxxsv234.exe
C:\WINDOWS\system32\npdl.exe
C:\WINDOWS\system32\pgd.dll
C:\WINDOWS\system32\vedxg6ame4.exe
C:\WINDOWS\tsitra27.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\Owner\Local Settings\Application Data.\n.ini
C:\Documents and Settings\Owner\Local Settings\Application Data\n.ini
C:\Program Files\Dlglejpn
C:\Program Files\Qexwmyjw
C:\Program Files\rqdsfslw
C:\Program Files\rqdsfslw\bozwzwve.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\Temp
C:\Temp\debug.txt
C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP
C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP\WiseCustomCall.B664EDEE_333B_4F9C_A292_543773E07EFC.dll
C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP\WiseCustomCall.DC36AC9D_A1D6_443F_974F_88211123A187.dll
C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP\WiseCustomCalla.DC36AC9D_A1D6_443F_974F_88211123A187.dll
C:\WINDOWS\55A6283C638A4EE0B49151118554BDA2.TMP\WiseData.ini
C:\WINDOWS\system32\hnuernnn
C:\WINDOWS\system32\hnuernnn\bg1.gif
C:\WINDOWS\system32\hnuernnn\bgtop.gif
C:\WINDOWS\system32\hnuernnn\bottom1.gif
C:\WINDOWS\system32\hnuernnn\essentials.gif
C:\WINDOWS\system32\hnuernnn\hnuernnn1.exe
C:\WINDOWS\system32\hnuernnn\hnuernnn2.exe
C:\WINDOWS\system32\hnuernnn\hnuernnn3.exe
C:\WINDOWS\system32\hnuernnn\icon1.ico
C:\WINDOWS\system32\hnuernnn\install1.gif
C:\WINDOWS\system32\hnuernnn\left1.gif
C:\WINDOWS\system32\hnuernnn\li.gif
C:\WINDOWS\system32\hnuernnn\logo.gif
C:\WINDOWS\system32\hnuernnn\main.htm
C:\WINDOWS\system32\hnuernnn\mainframe.htm
C:\WINDOWS\system32\hnuernnn\reinstall1.gif
C:\WINDOWS\system32\hnuernnn\right1.gif
C:\WINDOWS\system32\hnuernnn\s1.htm
C:\WINDOWS\system32\hnuernnn\s2.htm
C:\WINDOWS\system32\hnuernnn\s3.htm
C:\WINDOWS\system32\hnuernnn\SMTop1.gif
C:\WINDOWS\system32\hnuernnn\SMTop2.gif
C:\WINDOWS\system32\hnuernnn\SMTop3.gif
C:\WINDOWS\system32\hnuernnn\SMTop4.gif
C:\WINDOWS\system32\hnuernnn\soft1_off.gif
C:\WINDOWS\system32\hnuernnn\soft1_off_ext.gif
C:\WINDOWS\system32\hnuernnn\soft1_on.gif
C:\WINDOWS\system32\hnuernnn\soft1_on_ext.gif
C:\WINDOWS\system32\hnuernnn\soft2_off.gif
C:\WINDOWS\system32\hnuernnn\soft2_off_ext.gif
C:\WINDOWS\system32\hnuernnn\soft2_on.gif
C:\WINDOWS\system32\hnuernnn\soft2_on_ext.gif
C:\WINDOWS\system32\hnuernnn\soft3_off.gif
C:\WINDOWS\system32\hnuernnn\soft3_off_ext.gif
C:\WINDOWS\system32\hnuernnn\soft3_on.gif
C:\WINDOWS\system32\hnuernnn\soft3_on_ext.gif
C:\WINDOWS\system32\hnuernnn\softbottom_off.gif
C:\WINDOWS\system32\hnuernnn\softbottom_on.gif
C:\WINDOWS\system32\hnuernnn\softleft_off.gif
C:\WINDOWS\system32\hnuernnn\softleft_on.gif
C:\WINDOWS\system32\hnuernnn\top1.gif
C:\WINDOWS\system32\hnuernnn\top2.gif
C:\WINDOWS\system32\hnuernnn\turnoff1.gif
C:\WINDOWS\system32\hnuernnn\turnon1.gif
C:\WINDOWS\system32\n.ini
C:\WINDOWS\system32\n2.ini
.
((((((((((((((((((((((((( Files Created from 2007-10-06 to 2007-11-06 )))))))))))))))))))))))))))))))
.
2007-11-05 13:03 <DIR> d

---

C:\Program Files\Trend Micro
2007-11-03 08:12 82,061 --a

---

C:\WINDOWS\system32\drivers\klick.dat
2007-11-03 08:12 81,549 --a

---

C:\WINDOWS\system32\drivers\klin.dat
2007-11-03 08:11 <DIR> d

---

C:\Program Files\Kaspersky Lab
2007-11-03 08:11 7,065,888 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-03 08:11 24,864 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-02 20:15 <DIR> d

---

C:\Program Files\Tmpdrtxm
2007-11-02 20:15 <DIR> d

---

C:\Program Files\Tasihguj
2007-11-02 20:15 <DIR> d

---

C:\Program Files\ifejqrir
2007-11-02 19:35 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-11-02 18:34 <DIR> d

---

C:\WINDOWS\ERUNT
2007-11-02 18:28 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-11-02 18:07 <DIR> d

---

C:\Program Files\Avira
2007-11-02 18:07 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Avira
2007-11-02 12:30 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2007-11-02 12:30 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-29 12:24 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2007-10-29 12:24 <DIR> d

---

C:\KAV
2007-10-28 17:59 <DIR> d

---

C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-28 17:03 <DIR> d

---

C:\Program Files\Windows Sidebar
2007-10-28 17:02 <DIR> d

---

C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-28 17:01 117,248 --a

---

C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-28 17:01 15,360 --a

---

C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-28 17:01 14,848 --a

---

C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-28 17:01 13,824 --a

---

C:\WINDOWS\system32\drivers\SSFS041A.sys
2007-10-28 17:00 <DIR> d

---

C:\Program Files\Webroot
2007-10-28 17:00 <DIR> d

---

C:\Documents and Settings\Owner\Application Data\Webroot
2007-10-28 16:59 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-28 16:26 8,192 --a

---

C:\WINDOWS\system32\drivers\changer.sys
2007-10-28 16:26 8,192 --a--c--- C:\WINDOWS\system32\dllcache\changer.sys
2007-10-24 20:59 <DIR> d

---

C:\Program Files\iPhoneBrowser
2007-10-23 02:01 <DIR> d

---

C:\Program Files\MSXML 6.0
2007-10-23 00:41 <DIR> d

---

C:\Program Files\touchFree
2007-10-22 18:38 <DIR> d

---

C:\Program Files\MSBuild
2007-10-22 18:33 <DIR> d

---

C:\WINDOWS\system32\XPSViewer
2007-10-22 18:32 <DIR> d

---

C:\Program Files\Reference Assemblies
2007-10-22 18:31 14,048

---

C:\WINDOWS\system32\spmsg2.dll
2007-10-12 23:10 44,544 --a

---

C:\WINDOWS\system32\msxml4a.dll
2007-10-12 23:09 <DIR> d

---

C:\Program Files\Common Files\MAGIX Shared
2007-10-12 23:09 <DIR> d

---

C:\MAGIX
2007-10-12 23:09 1,089,536 --a

---

C:\WINDOWS\system32\ROBOEX32.DLL
2007-10-12 23:09 85,504 --a

---

C:\WINDOWS\system32\HtmlWH.dll
2007-10-12 23:09 49,152 --a

---

C:\WINDOWS\system32\INETWH32.dll
2007-10-12 23:08 <DIR> d

---

C:\WINDOWS\system32\MAGIX
2007-10-12 23:08 638,976 --a

---

C:\WINDOWS\system32\mgxoschk.dll
2007-10-10 23:15 <DIR> d

---

C:\Program Files\iPhoneRingToneMaker
2007-10-10 22:37 <DIR> d

---

C:\Program Files\Mightsoft
2007-10-10 22:37 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-10 21:45 <DIR> d

---

C:\Documents and Settings\Owner\Application Data\Syntrillium
2007-10-10 21:43 <DIR> d

---

C:\Program Files\coolpro2
2007-10-10 07:28 584,192

---

c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-06 21:05 98,816 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-06 21:05 3,380 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-06 08:06

---

d

---

w C:\Program Files\Common Files\Symantec Shared
2007-11-03 16:29 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-29 00:56 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-29 00:56 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-24 05:22

---

d

---

w C:\Program Files\AIM6
2007-10-24 05:22

---

d

---

w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-24 05:19

---

d

---

w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-22 05:45 50,592 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 07:15

---

d

---

w C:\Documents and Settings\Owner\Application Data\iPhoneRingToneMaker
2007-10-07 03:42

---

d

---

w C:\Program Files\iTunes
2007-10-02 02:31

---

d

---

w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-10-01 23:51

---

d

---

w C:\Program Files\iPod
2007-10-01 23:49

---

d

---

w C:\Program Files\QuickTime
2007-10-01 23:49

---

d

---

w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-01 23:48

---

d

---

w C:\Program Files\Apple Software Update
2007-10-01 23:47

---

d

---

w C:\Program Files\Common Files\Apple
2007-10-01 23:47

---

d

---

w C:\Documents and Settings\All Users\Application Data\Apple
2007-09-06 20:28 30,336 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2007-11-02_20.42.44.90"]snapshot@2007-11-02_20.42.44.90[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-03 02:26:13 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-03 16:20:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-03 02:26:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-03 16:20:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-03 02:26:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-03 16:21:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 23:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-06-28 00:31:58 186,640 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 21:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 19:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
+ 2007-06-28 19:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
- 2007-10-23 02:39:34 66,608 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-06 12:59:54 66,608 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-23 02:39:34 428,208 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-06 12:59:54 428,208 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-23 01:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-23 02:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 19:00]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 15:38]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"POINTER"="point32.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-17 20:48]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 11:51]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14]
"Aim6"="" []
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Valve\Steam\Steam.exe -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 iteio;iteio;\??\C:\WINDOWS\system32\drivers\iteio.sys
S3 itsernum;itsernum Filter ÅX°Êµ{¦¡;C:\WINDOWS\system32\DRIVERS\itsernum.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-06 13:07:47
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-06 13:21:42 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-02 19:43
.
--- E O F ---


im hoping the combofix one i pout is the right one...cuz there were two and for the fsbl log once the process was done a log never opened up as u said it would but i found that in my files so let me know if something went wrong with the process cuz the one u gave me was out of date i red/led the newer version as it told me to.

peku006

Hi SweepeR
Looks much better..........

which Spy Sweeper version you have ?

Open notepad and copy/paste the text in the quotebox below into it:

Folder::
C:\Program Files\Tmpdrtxm
C:\Program Files\Tasihguj
C:\Program Files\ifejqrir

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.



This will start ComboFix again. After reboot, (in case it asks to reboot)

---

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then start to download the latest definition files.
• Once the scanner is installed and the definitions downloaded, click Next.
• Now click on Scan Settings
• In the scan settings make sure that the following are selected:
  
  o Scan using the following Anti-Virus database:
  
  + Extended (If available otherwise Standard)
  
  o Scan Options:
  
  + Scan Archives
  + Scan Mail Bases
• Click OK
• Now under select a target to scan select My Computer
• The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
• Now click on the Save as Text button
• Save the file to your desktop.
• Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.

After you have completed the above, please provide:
Combofix.txt
Kaspersky Online report
new HijackThis log

SweepeR

its webroot spy sweeper. dont see where it says a version on it.

here are the logs...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:04:33 PM, on 11/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
C:\WINDOWS\System32\ScsiAccess.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE
C:\Program Files\Microsoft IntelliType Pro\itype.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wiaacmgr.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [EPSON Stylus CX5400] "C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.EXE" /P19 "EPSON Stylus CX5400" /O6 "USB001" /M "Stylus CX5400"
O4 - HKLM\..\Run: [itype] "C:\Program Files\Microsoft IntelliType Pro\itype.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [MSConfig] "C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe"
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by134fd.bay134.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.safety.live.com/resource/download/scanner/wlscbase8460.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1149475700296
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1149714605984
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: ScsiAccess - Unknown owner - C:\WINDOWS\System32\ScsiAccess.EXE
O23 - Service: Symantec Core LC - Unknown owner - C:\PROGRA~1\COMMON~1\SYMANT~1\CCPD-LC\symlcsvc.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
--
End of file - 8421 bytes

KASPERSKY ONLINE SCANNER REPORT Thursday, November 08, 2007 12:15:00 AM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 8/11/2007
Kaspersky Anti-Virus database records: 453781
Scan SettingsScan using the following antivirus databaseextendedScan ArchivestrueScan Mail BasestrueScan TargetMy ComputerA:\
C:\
D:\
E:\
F:\
G:\
H:\ Scan StatisticsTotal number of scanned objects187507Number of viruses found2Number of infected objects2Number of suspicious objects0Duration of the scan process02:43:17
Infected Object NameVirus NameLast ActionC:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\01ae_AdBlocker_eventcritlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\01ae_AdBlocker_eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\01b4_PrivacyControl_eventcritlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\01b4_PrivacyControl_eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\01b6_File_Monitoring_eventcritlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\01b6_File_Monitoring_eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\01ba_Web_Monitoring_eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS07A7FF43-0E68-4E4F-9F94-65861855C832.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS09D3030B-A8DA-4E99-BE4B-09530EBF8B92.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0B4719D5-59AB-4E7C-8DDB-DE64E0DF071A.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0EFB254D-BA03-4D57-A980-EF2F6B19C3E3.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS0F874C14-D78C-452A-B4F9-496E9847B7F3.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS11B032A4-E7E0-4BF2-BB42-CDED63A34513.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1366D438-A06B-4F38-9EA2-F879E707C2B1.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS144909CD-3E70-4185-B9C5-A377042D9FBD.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1CFF1F22-AE91-4E68-9C10-592E4A6CAECF.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS1F69B1A2-5A2B-4CC5-A635-4C1A84F234F4.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS217311FB-BD32-4B82-8F7E-31A850E779C2.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2298C502-5C48-4AC1-8C1B-A4EC277C3496.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS273C536D-F83D-47B4-B79C-955A33E23409.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS27F598B9-3EB3-4150-BB0C-BEEA463C1EE7.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2B25B092-973E-4829-91C5-98A4F1A452D2.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2C475743-6F5F-4B00-8E41-BC06C2000D28.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2CAB7C52-5587-4CE2-99D7-18F7AF60A01A.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS2EC807EE-553C-475E-BEB5-BF6DE85692EE.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS31C13E5C-BACB-4BB0-94D1-43FD4A8B181F.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS3340DF7A-B80B-418D-A40B-C3A84354597B.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS335D4311-C563-462A-9B62-7645A42750EF.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS33ECFAFC-4FBD-4EA2-A1B7-73D376020DB1.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS363C76AC-E448-4476-870C-F04521A2D22F.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS43DD9869-D5A5-48CB-B3F7-8ACE4A71F0AC.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS462220D1-0078-4451-95D8-8C41A75BCD37.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS47A18914-6355-4855-871F-8B8717C3A7C1.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS48547CE3-9AC3-4BA0-81EA-37BE6C374C7C.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4A7762D2-AE9A-4547-98E1-701F78D164E8.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4C809A9F-2212-45D6-AF31-C0B2C961C2FF.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS4FD0708E-F549-474A-B91A-446BA46A13F8.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS506656F1-1554-4825-83C6-56CCBA9F5C07.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS50CBE10F-EFCB-4DDE-9F15-B021D57D538E.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5A16D276-74F7-4F9D-8E8C-33A4C7ADCF05.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5C57C5D5-BDF8-494E-BD33-4A09DB3FAF63.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS5EDAF6D3-7914-486B-962E-43C03B2E0DBB.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS64B78CB9-F5F5-4307-AEED-61BEF481A470.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS65035EA7-6FEF-4CE5-ACF8-2F4453391122.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6AB16BBB-0AF2-4219-8F28-FF2FDEF73686.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS6C3E0018-939D-4986-A76A-27B7DBCFB575.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS74C61EBF-B0E4-4AC7-9765-7C1201420DF4.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS76935E4C-9C13-401D-BB54-7F1E5F452353.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS77F33FF2-EE14-4D33-A73B-E543F95B6E71.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7C0666C2-FCD7-4468-AD3F-2325BE356953.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7C9E1908-907B-4E08-8F40-02F15FFDDBDE.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7D0BC600-6F16-491E-A301-3BE4F9BE2036.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS7ECB3F87-A9D5-4F2F-A0C6-88C1DBC48D3C.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS83B56017-1B12-4C94-A23D-EF2CD1165204.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS8579897F-40A3-4F12-9198-9C29693A3818.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS85B81716-A5C6-4603-B803-D2FA83BBB126.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS85C98062-8844-4BAC-9348-F7895A5388D4.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS89E84E78-3429-44C2-9CB5-89D36BDA34F1.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS89F66696-B40B-4BD5-A7A1-E3D3F896B60B.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9577517A-4AC5-4923-BD86-CE07DACAFE4F.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS983B765C-E961-400B-B23E-0BDCF493A7DB.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS993060A2-C572-4A35-89C0-092BF0B2581E.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9938E591-2490-4611-9BEF-4333EE7908A6.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9D801A9D-2BD7-4560-96A8-DC7D10A5D5EE.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9E3AF9BA-E7DA-47E3-9C8F-0EF61ABBC52C.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCS9FBC8873-7397-41A0-9968-D3C0101947D3.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA165C1A0-7105-4F46-8CD3-6EC26482BF8C.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA24C975E-C970-4ADB-B428-EEF391047C48.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA35CE1BC-1C69-4E54-921A-5991CB9D2546.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA6D25E9D-950D-47A9-9AFD-10EF4EFE3384.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSA88C2851-E068-417A-8EF9-138749EE4DD4.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSAF4D7134-5EF0-4414-AAAE-EB47DC9379D0.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB048A2B4-F054-48A8-A827-A0B2E5CF7C64.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB096AE08-60B3-41A8-8289-4AD092F14FDC.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB500AB21-3697-4227-A1E0-952F225F46D3.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSB8FFCEA7-4206-46C1-A75F-FE92DC764358.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSBD11FC40-45C9-4015-ACB1-32BA1FCF083B.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC10674D4-5A95-4634-AFCD-00538916FEB9.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC20DDB5A-2424-4EFD-BB06-36F429394585.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC2F56B97-0BC3-45BB-A6A7-30994BC3F6F7.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSC87B7368-2A43-4303-9A8B-4F52ADF83591.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCA01BDFC-B950-40AD-8089-A7C7957587AA.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCAA969BC-A602-4B46-97E9-007509794F57.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSCB26F568-029F-4CCF-A13A-6723AED9990E.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD011ACE1-90D5-435D-92AD-F8F14F69D671.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD06D1EE2-46CD-41EC-80AA-1358AC4E45C9.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD196EE23-4D83-4DF7-8BDD-702400009793.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD1A59E25-4C68-46E8-BA5E-59FC1ECC77C7.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD42B1D7F-8056-4303-90E4-CD414A49FC28.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD493107B-584A-48E0-AB2E-CF8B501B0367.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD6C4ACB7-85AC-4424-A945-8EDF44795C5C.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD6D5DE4D-86D5-4D86-A728-999771B0604F.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD81BE03D-31E1-46C6-8972-B02981AF153C.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSD86D5973-9C01-43BE-B24A-F881AAF3AA5A.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDA26CDA2-9601-4BD1-B618-BED4E0209911.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDD9B0386-535D-4ABC-8B86-25847AA78D94.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDDD6A55E-137A-4B19-8D17-7E26DD332A33.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSDEC79806-425C-44BF-8C48-9C583BFDA1EE.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE1529F86-A4DF-44D3-B776-DCB74719808D.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE16A50E7-0F0A-4D24-AA44-629A7FD4286D.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE1B5EB47-D218-4B42-B231-FB388A533010.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE766C5CE-ADAA-4F4D-9734-B8FC4AABAE40.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSE9EA41B5-7FC8-4130-BF83-9B9CA1EE52E8.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEB3579E4-FE1D-43BD-83A8-B4A415B9C432.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEBF1CE92-1744-4079-9AA5-35FBC8FDC684.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEC0085A2-2450-43B6-90EE-0A37D0AA5E6D.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSEC075F09-E992-41A0-8C5D-4DC08E03AF70.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSECC53754-B0C2-4F38-86B4-E0427B3F7817.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSF5D3C93E-BD82-4EF5-AD8B-F5A36F6DC2D3.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFB062561-8BC0-4DA7-9233-4544E47BAC6D.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFB098B6F-73A9-4DDE-8F27-02E86ABBA4B5.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD3D5BDC-4D4D-457F-84AA-BA8AF3FA9C9D.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFD7A5FFB-B93B-41C7-B4F1-5A421F32003F.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFDBE2F75-8937-4EBB-971B-AE03DDEE24B0.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFF396CD1-B522-4784-82FC-8573591B9AC8.tmp Object is locked skipped C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Temp\SSCSFFB78F58-14A3-474E-B575-863A5127E884.tmp Object is locked skipped C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Application Data\Roxio\MediaManager9\Album.ldb Object is locked skipped C:\Documents and Settings\Owner\Application Data\Roxio\MediaManager9\Album.psod Object is locked skipped C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com\SUPERAntiSpyware\SUPERANTISPYWARE.LOG Object is locked skipped C:\Documents and Settings\Owner\Application Data\Webroot\Spy Sweeper\Logs\071103115002.ses Object is locked skipped C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{DCD2C82B-F6E4-4673-AA21-B342DF23FA41}\Microsoft\Outlook Express\Folders.dbx Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Identities\{DCD2C82B-F6E4-4673-AA21-B342DF23FA41}\Microsoft\Outlook Express\Offline.dbx Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007110720071108\index.dat Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\5VH75MNX\UserStatusChange[4].html Object is locked skipped C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat Object is locked skipped C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped C:\System Volume Information\_restore{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0157666.exe:exe.exe:$DATA Infected: Trojan.Win32.Obfuscated.ka skipped C:\System Volume Information\_restore{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP562\A0157666.exe:ext.exe:$DATA Infected: Trojan.Win32.Obfuscated.jv skipped C:\System Volume Information\_restore{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP570\change.log Object is locked skipped C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped C:\WINDOWS\SchedLgU.Txt Object is locked skipped C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped C:\WINDOWS\Sti_Trace.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\edbtmp.log Object is locked skipped C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\default Object is locked skipped C:\WINDOWS\system32\config\default.LOG Object is locked skipped C:\WINDOWS\system32\config\SAM Object is locked skipped C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\SECURITY Object is locked skipped C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped C:\WINDOWS\system32\config\software Object is locked skipped C:\WINDOWS\system32\config\software.LOG Object is locked skipped C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped C:\WINDOWS\system32\config\system Object is locked skipped C:\WINDOWS\system32\config\system.LOG Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped C:\WINDOWS\TEMP\JET1435.tmp Object is locked skipped C:\WINDOWS\TEMP\~ROMFN_000009A0 Object is locked skipped C:\WINDOWS\wiadebug.log Object is locked skipped C:\WINDOWS\wiaservc.log Object is locked skipped C:\WINDOWS\WindowsUpdate.log Object is locked skipped D:\System Volume Information\_restore{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP570\change.log Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\08c089760e1fbacd8aaaebf2baa75fd7_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\0d14758456fe8c0d1b4cc44439c08089_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1997de36275cbfdfbeaffedc24612f52_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\2432f4f47bd6578d1c5658cfa7630ba5_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\37ebbec6933386b92ed34c1c8ee08646_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3c87cfb02c23fe72fd8483060984f9d7_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\406841e09c62b0580da0d390698d2082_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4329cec59818cee133eb03cbb1b7c0cc_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\43ef07eb6ff40575afb0c483f1160b17_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\46eb954415ea71600c49f4470eea07ce_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4748038f73d1c450e83631857f5c3f4f_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\65edd36b73a7034a539462fe89c957ad_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\6cc44dbbc236519fdf8e8e4b0d03fe30_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\80ece702f1340009efd190393b13702b_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\843b9b7faef49b30339fdf903e5e8560_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\97545a4377315db7eec3957d16c7af69_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\abd701fab6ddcf9669f14554a312b27e_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\b69f9f0a6fb8e652d516a7f9882a1047_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bcb13bad3b9744baf3eac33884eace49_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bf1530eccd77cc8dd123939319421040_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c345e98306afbb008e2882f57013eed9_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ce3d30d8e41b3c2d46e0236574f097fa_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\d0cd5c061baca6618a96ee400ae403c9_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\dac8410a88ab39f215372ee5bad1940f_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\f06f6a63a9384fb34d24799dcc12d5b6_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\fadde581360e04aeb0402d6268fad3b7_8a5f5487-30d1-4f0d-9448-f1d7a6d9b7e9 Object is locked skipped G:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped G:\System Volume Information\_restore{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP570\change.log Object is locked skipped G:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped G:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped G:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\catsrv.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\catsrvut.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\clbcatex.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\clbcatq.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\colbact.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\comadmin.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\comrepl.exe Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\comsvcs.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\comuid.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\es.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\migregdb.exe Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\msdtcprx.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\msdtctm.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\msdtcuiu.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\mtxclu.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\mtxoci.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\ole32.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\rpcrt4.dll.000 Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\rpcss.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB828741$\txflog.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\callcont.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\gdi32.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\h323.tsp Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\h323msp.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\ipnathlp.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\lsasrv.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\mf3216.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\msasn1.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\msgina.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\mst120.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\netapi32.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\nmcom.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\rtcdll.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\schannel.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB835732$\xpsp2res.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\dao360.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\expsrv.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msexch40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msexcl40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msjet40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msjetol1.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msjetoledb40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msjint40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msjter40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msjtes40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msltus40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\mspbde40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msrd2x40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msrd3x40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msrepl40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\mstext40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\mswdat10.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\mswstr10.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\msxbde40.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB837001$\vbajet32.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB839645$\fldrclnr.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB839645$\shell32.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB839645$\shlwapi.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB839645$\sxs.dll Object is locked skipped G:\WINDOWS\$NtUninstallKB839645$\xpsp2res.dll Object is locked skipped G:\WINDOWS\$NtUninstallQ329115$\reg00003 Object is locked skipped G:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped G:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped H:\System Volume Information\_restore{D0733638-6E62-40D9-9DED-B8F1CBCC5BA6}\RP570\change.log Object is locked skipped Scan process completed.

SweepeR

ComboFix 07-11-02.3 - Owner 2007-11-07 19:33:34.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.409 [GMT -8:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\ifejqrir
C:\Program Files\Tasihguj
C:\Program Files\Tmpdrtxm
.
((((((((((((((((((((((((( Files Created from 2007-10-08 to 2007-11-08 )))))))))))))))))))))))))))))))
.
2007-11-06 22:29 <DIR> d

---

C:\Program Files\iTunes
2007-11-06 22:29 <DIR> d

---

C:\Program Files\iPod
2007-11-06 22:26 <DIR> d

---

C:\Program Files\QuickTime
2007-11-06 17:09 <DIR> d

---

C:\Program Files\SUPERAntiSpyware
2007-11-06 17:09 <DIR> d

---

C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2007-11-06 17:09 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-05 13:03 <DIR> d

---

C:\Program Files\Trend Micro
2007-11-03 08:12 82,061 --a

---

C:\WINDOWS\system32\drivers\klick.dat
2007-11-03 08:12 81,549 --a

---

C:\WINDOWS\system32\drivers\klin.dat
2007-11-03 08:11 <DIR> d

---

C:\Program Files\Kaspersky Lab
2007-11-03 08:11 7,657,248 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-03 08:11 47,648 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-02 19:35 51,200 --a

---

C:\WINDOWS\NirCmd.exe
2007-11-02 18:34 <DIR> d

---

C:\WINDOWS\ERUNT
2007-11-02 18:28 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\AntiVir PersonalEdition Classic
2007-11-02 18:07 <DIR> d

---

C:\Program Files\Avira
2007-11-02 18:07 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Avira
2007-11-02 12:30 <DIR> d

---

C:\WINDOWS\system32\Kaspersky Lab
2007-11-02 12:30 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-29 12:24 <DIR> d

---

C:\Program Files\Common Files\Wise Installation Wizard
2007-10-29 12:24 <DIR> d

---

C:\KAV
2007-10-28 17:59 <DIR> d

---

C:\Documents and Settings\NetworkService\Application Data\Webroot
2007-10-28 17:03 <DIR> d

---

C:\Program Files\Windows Sidebar
2007-10-28 17:02 <DIR> d

---

C:\Documents and Settings\LocalService\Application Data\Webroot
2007-10-28 17:01 117,248 --a

---

C:\WINDOWS\system32\drivers\ssidrv.sys
2007-10-28 17:01 15,360 --a

---

C:\WINDOWS\system32\drivers\sshrmd.sys
2007-10-28 17:01 14,848 --a

---

C:\WINDOWS\system32\drivers\sskbfd.sys
2007-10-28 17:01 13,824 --a

---

C:\WINDOWS\system32\drivers\SSFS041A.sys
2007-10-28 17:00 <DIR> d

---

C:\Program Files\Webroot
2007-10-28 17:00 <DIR> d

---

C:\Documents and Settings\Owner\Application Data\Webroot
2007-10-28 16:59 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\Webroot
2007-10-28 16:26 8,192 --a

---

C:\WINDOWS\system32\drivers\changer.sys
2007-10-28 16:26 8,192 --a--c--- C:\WINDOWS\system32\dllcache\changer.sys
2007-10-24 20:59 <DIR> d

---

C:\Program Files\iPhoneBrowser
2007-10-23 02:01 <DIR> d

---

C:\Program Files\MSXML 6.0
2007-10-23 00:41 <DIR> d

---

C:\Program Files\touchFree
2007-10-22 18:38 <DIR> d

---

C:\Program Files\MSBuild
2007-10-22 18:33 <DIR> d

---

C:\WINDOWS\system32\XPSViewer
2007-10-22 18:32 <DIR> d

---

C:\Program Files\Reference Assemblies
2007-10-22 18:31 14,048

---

C:\WINDOWS\system32\spmsg2.dll
2007-10-12 23:10 44,544 --a

---

C:\WINDOWS\system32\msxml4a.dll
2007-10-12 23:09 <DIR> d

---

C:\Program Files\Common Files\MAGIX Shared
2007-10-12 23:09 <DIR> d

---

C:\MAGIX
2007-10-12 23:09 1,089,536 --a

---

C:\WINDOWS\system32\ROBOEX32.DLL
2007-10-12 23:09 85,504 --a

---

C:\WINDOWS\system32\HtmlWH.dll
2007-10-12 23:09 49,152 --a

---

C:\WINDOWS\system32\INETWH32.dll
2007-10-12 23:08 <DIR> d

---

C:\WINDOWS\system32\MAGIX
2007-10-12 23:08 638,976 --a

---

C:\WINDOWS\system32\mgxoschk.dll
2007-10-10 23:15 <DIR> d

---

C:\Program Files\iPhoneRingToneMaker
2007-10-10 22:37 <DIR> d

---

C:\Program Files\Mightsoft
2007-10-10 22:37 <DIR> d

---

C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-10 21:45 <DIR> d

---

C:\Documents and Settings\Owner\Application Data\Syntrillium
2007-10-10 21:43 <DIR> d

---

C:\Program Files\coolpro2
2007-10-10 07:28 584,192

---

c--- C:\WINDOWS\system32\dllcache\rpcrt4.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-07 09:06 3,692 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-07 09:06 103,976 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-06 08:06

---

d

---

w C:\Program Files\Common Files\Symantec Shared
2007-11-03 16:29 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-10-31 22:09 30,464 ----a-w C:\WINDOWS\system32\drivers\usbaapl.sys
2007-10-29 00:56 806 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.INF
2007-10-29 00:56 10,652 ----a-w C:\WINDOWS\system32\drivers\SYMEVENT.CAT
2007-10-29 00:27 14,336 ----a-w C:\WINDOWS\system32\svchost.exe
2007-10-24 05:22

---

d

---

w C:\Program Files\AIM6
2007-10-24 05:22

---

d

---

w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-10-24 05:19

---

d

---

w C:\Documents and Settings\All Users\Application Data\AOL Downloads
2007-10-22 05:45 50,592 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2007-10-11 07:15

---

d

---

w C:\Documents and Settings\Owner\Application Data\iPhoneRingToneMaker
2007-10-02 02:31

---

d

---

w C:\Documents and Settings\Owner\Application Data\Apple Computer
2007-10-01 23:49

---

d

---

w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-01 23:48

---

d

---

w C:\Program Files\Apple Software Update
2007-10-01 23:47

---

d

---

w C:\Program Files\Common Files\Apple
2007-10-01 23:47

---

d

---

w C:\Documents and Settings\All Users\Application Data\Apple
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2001-11-23 03:08 712,704 ----a-r C:\WINDOWS\inf\OTHER\AUDIO3D.DLL
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2007-11-02_20.42.44.90"]snapshot@2007-11-02_20.42.44.90[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 01:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-30 02:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-11-07 05:49:14 10,134 ----a-r C:\WINDOWS\Installer\{AD6F0759-EA94-490B-B40D-C0314D590AE1}\_82D9C6E45CC198D2FA538F.exe
+ 2007-11-07 05:49:14 10,134 ----a-r C:\WINDOWS\Installer\{AD6F0759-EA94-490B-B40D-C0314D590AE1}\_F7FD726E6EFC95AC689DC5.exe
+ 2007-11-07 03:51:44 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-07 03:51:44 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-07 03:51:44 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
+ 2007-11-07 06:29:49 102,400 ----a-r C:\WINDOWS\Installer\{E3FEE4E7-4488-4A3F-A6BD-13745936EADB}\iTunesIco.exe
- 2007-11-03 02:26:13 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-11-03 16:20:28 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-11-03 02:26:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-11-03 16:20:28 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-11-03 02:26:13 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-11-03 16:21:38 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-04-28 23:51:02 110,360 ----a-w C:\WINDOWS\system32\drivers\kl1.sys
+ 2007-06-28 00:31:58 186,640 ----a-w C:\WINDOWS\system32\drivers\klif.sys
+ 2007-04-04 21:58:26 24,344 ----a-w C:\WINDOWS\system32\drivers\klim5.sys
+ 2007-06-28 19:50:52 22,457 ----a-w C:\WINDOWS\system32\drivers\klop.dat
+ 2007-10-31 22:09:14 30,464 -c--a-w C:\WINDOWS\system32\DRVSTORE\usbaapl_4351B7DAFF62FD33510D77DFAE3CF8CC82517571\usbaapl.sys
+ 2007-06-28 19:51:48 206,088 ----a-w C:\WINDOWS\system32\klogon.dll
- 2007-10-23 02:39:34 66,608 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-07 19:06:26 66,608 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-23 02:39:34 428,208 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-07 19:06:26 428,208 ----a-w C:\WINDOWS\system32\perfh009.dat
- 2007-07-23 01:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-07-23 02:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D53EC84-6AAE-4787-AEEE-F4628F01010C}]
C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX5400"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2G1.exe" [2003-05-26 19:00]
"itype"="C:\Program Files\Microsoft IntelliType Pro\itype.exe" [2005-12-04 15:38]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"POINTER"="point32.exe" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-17 20:48]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 11:51]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2006-07-07 16:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"MSConfig"="C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-03 23:56]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-01-15 16:14]
"Aim6"="" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
backup=C:\WINDOWS\pss\Adobe Gamma Loader.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
backup=C:\WINDOWS\pss\Kodak EasyShare software.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^KODAK Software Updater.lnk]
backup=C:\WINDOWS\pss\KODAK Software Updater.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
backup=C:\WINDOWS\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C-Media Mixer]
Mixer.exe /startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\osCheck]
"C:\Program Files\Norton Internet Security\osCheck.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\QTTask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
"C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxWatchTray]
"C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Valve\Steam\Steam.exe -silent
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe
R0 SSFS041A;Spy Sweeper File System Filer Driver: 041A;C:\WINDOWS\system32\Drivers\SSFS041A.SYS
R2 nvcap;nVidia WDM Video Capture (universal);C:\WINDOWS\system32\DRIVERS\nvcap.sys
R2 NVXBAR;nVidia WDM A/V Crossbar;C:\WINDOWS\system32\DRIVERS\NVxbar.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 iteio;iteio;\??\C:\WINDOWS\system32\drivers\iteio.sys
S3 itsernum;itsernum Filter ÅX°Êµ{¦¡;C:\WINDOWS\system32\DRIVERS\itsernum.sys
S3 USBAAPL;Apple Mobile USB Driver;C:\WINDOWS\system32\Drivers\usbaapl.sys
S3 wg121;NETGEAR WG121 802.11g Wireless USB2.0 Adapter;C:\WINDOWS\system32\DRIVERS\wg121nd5.sys
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-07 19:43:35
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-07 19:46:56
C:\ComboFix2.txt ... 2007-11-06 13:21
C:\ComboFix3.txt ... 2007-11-02 19:43
.
--- E O F ---

peku006

Hi

• Run HijackThis
• Click on the Scan button
• Put a check beside all of the items listed below (if present):
  
  O2 - BHO: Symantec Intrusion Prevention - {6D53EC84-6AAE-4787-AEEE-F4628F01010C} - C:\PROGRA~1\COMMON~1\SYMANT~1\IDS\IPSBHO.dll (file missing)
• Close all open windows and browsers/email, etc...
• Click on the "Fix Checked" button
• When completed, close the application.

---

Please download Dr.Web CureIt to the desktop:

• Double-click the drweb-cureit.exe file and Allow to run the express scan
• This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
• Once the short scan has finished, Click Options > Change settings
• Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
• Back at the main window, mark the drives that you want to scan.
• Select all drives. A red dot shows which drives have been chosen.
• Click the green arrow at the right, and the scan will start.
• Click 'Yes to all' if it asks if you want to cure/move the file.
• When the scan has finished, look if you can click next icon next to the files found:
• If so, click it and then click the next icon right below and select Move incurable
  
• This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
• After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
• Save the report to your desktop. The report will be called DrWeb.csv
• Close Dr.Web Cureit.
• Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.

After you have completed the above, please provide:
DrWeb.csv
new HijackThis log
description of any problems you are having with your PC

SweepeR

arite that program u told me to scan with doesnt work. it goes half way then this pop up from the company comes up saying buy or something and the scanning just stops once that comes up even after uc lose that pop up.

peku006

Hi
Logs, looks good but let's run one online scan to be sure:

Place a shortcut to Panda ActiveScan on your desktop.

Reboot back into Windows and click the Panda ActiveScan shortcut.

• Once you are on the Panda site click the Scan your PC button
• A new window will open...click the Check Now button
• Enter your Country
• Enter your State/Province
• Enter your e-mail address and click send
• Select either Home User or Company
• Click the big Scan Now button
• If it wants to install an ActiveX component allow it
• It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
• When download is complete, click on Local Disks to start the scan
• When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

SweepeR

hey sorry on the late response. I am in the process of gettin this scan done right now but i will have it up in a few hours as it takes a while. BTW my computer runs VERYYY slow now. like as if half the memory is gone. takes forever to load anything.

SweepeR

hey i finished the scan but the browswer closed accidently before i was able to save the log but it did say 1 infectioned wiht 1 disinfection....i dono if it did disinfect it or not but i am running the same scan again at the verymoment to get a log for you.

SweepeR

hey peku u there?

peku006

Hi SweepeR
I'm here

where is Panda scan report and new HijackThis Log
Please post
new HijackThis log
description of any problems you are having with your PC

SweepeR

ok my c omputer isnt allowing me to post on t his board for some ****ing reason, im losing mymind here. I am using a laptop at the moment. i evne tried it in safe mode and same issue. once i click COPY or POSt it freezes the browser n shuts down.

I am having major issues wiht the response/speed of the computer. it takes forever to respond. I mean if i click a simple copy paste, winamp, IE browser, or ANYTHIGN it takes at least 30 sec to open up if not freeze. its just very very slow.

SweepeR

ok so i dono if its the website or the info (the logs) cuasing this but I just tried to post it on this diff computer as well and it freezes in the same manner as well. I'm assuming its the website or the logs. what should i do/

peku006

Hi SweepeR
Please post logs as attachments into this thread

Please download Deckard's System Scanner (DSS) and save it to your Desktop. Note: You must be logged onto an account with administrator privileges.

• Close all other windows before proceeding.
• Double-click on dss.exe and follow the prompts.
• When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

What DSS will do:

• create a new System Restore point in Windows XP and Vista.
• clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
• check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

In your next post please include the following reports:

• dss scan reports main.txt , extra.txt and Panda scan report

SweepeR

how do i post the 2 prevoius logs as attachments?