Options
Virus removal help
i dont know whats the name of my virus but it pops up where my taskbar is the place where it shows the time. Its a yello triangle with a ! in the middle D:. It pops up and says i have a virus and tells me to click on the balloon. i dont click on it and click on the triangle thing and it disappears but it comes back after a few seconds. It also pops up some other virus alert stuff i dont know how to remove it anyone help?(Tell me if i discribed it enough or tell me if i need to show you my hijack log)
oh eya i forgot everytime i open my internet to my homepage it directs me to a virus removal website =\
oh eya i forgot everytime i open my internet to my homepage it directs me to a virus removal website =\
0
Comments
- Download HJTInstall.exe to your Desktop.
- Doubleclick HJTInstall.exe to install it.
- By default it will install to C:\Program Files\Trend Micro\HijackThis .
- Click on Install.
- It will create a HijackThis icon on the desktop.
- Once installed, it will launch Hijackthis.
- Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
- Copy/Paste the log to your next reply please.
Don't use the Analyse This button, its findings are dangerous if misinterpreted.Don't have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
I did what u said and heres my log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:23:05 PM, on 14/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\WinAble\winable.exe
C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Tmljaw\command.exe
C:\WINDOWS\system32\elkjfirl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\nsbhujkm.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu572.exe 61A847B5BBF728173599284503996897C881250221C8670836AC4FA7C8833201749139
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\qaritael.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [WinAble] C:\Program Files\WinAble\winable.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - AppInit_DLLs: hadjajr.ini
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\Tmljaw\command.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\elkjfirl.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 5761 bytes
Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Please post the content of that report in your next reply.
Please download SDFix by AndyManchesta and save it to your desktop.
Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).
Please then reboot your computer into Safe Mode by doing the following:
- Restart your computer.
- After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
- Instead of Windows loading as normal, a menu with options should appear.
- Select the first option, to run Windows in "Safe Mode", then press "Enter".
- Choose your usual account.
Once in Safe Mode, please do the following:(Report.txt will also be copied to Clipboard ready for posting back on the forum).
Please download the ComboFix by sUBs:
NOTE: In the event you already have ComboFix, this is a new version that you have to download.
- Save it to your desktop.
- Double-click combofix.exe and follow the prompts.
- When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall.After you have completed the above, please provide:
Report.txt
SmitfraudFix.[SIZE=-1]report [/SIZE]
Combofix.txt
new HijackThis log
SmitFraudFix v2.253
Scan done at 15:40:33.21, 15/11/2007
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\Tmljaw\command.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\mrofinu572.exe
C:\Program Files\WinAble\winable.exe
C:\WINDOWS\system32\elkjfirl.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Network Monitor\netmon.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
C:\WINDOWS\Tasks\At?.job FOUND !
C:\WINDOWS\Tasks\At??.job FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
C:\WINDOWS\system32\vtr???.dll FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Nick\Application Data
C:\Documents and Settings\Nick\Application Data\Install.dat FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Nick\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="hadjajr.ini"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2) #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
Description: D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2) #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
Description: D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2) #2 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{610B1665-BD37-4571-9E01-D685CF55FD23}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
now im gonna do the next step please wait D:
SDFix: Version 1.114
Run by Nick on 15/11/2007 at 03:49 PM
Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\Nick\Desktop\Maple\SDFix
Safe Mode:
Checking Services:
Name:
cmdService
Network Monitor
Path:
C:\WINDOWS\Tmljaw\command.exe
C:\Program Files\Network Monitor\netmon.exe service
cmdService - Deleted
Network Monitor - Deleted
Restoring Windows Registry Values
Restoring Windows Default Hosts File
Rebooting...
Normal Mode:
Checking Files:
Trojan Files Found:
C:\WINDOWS\Tmljaw\asappsrv.dll - Deleted
C:\WINDOWS\Tmljaw\command.exe - Deleted
C:\WINDOWS\Tmljaw\nA53uT.vbs - Deleted
C:\WINDOWS\system32\m2\rarndrll2.exe - Deleted
C:\WINDOWS\system32\o1\wr31drs.exe - Deleted
C:\WINDOWS\system32\v4\caws83122.exe - Deleted
C:\Program Files\WinAble\winable.exe - Deleted
C:\Program Files\Network Monitor\netmon.exe - Deleted
C:\Documents and Settings\Nick\Application Data\Install.dat - Deleted
C:\DOCUME~1\Nick\LOCALS~1\Temp\cmdinst.exe - Deleted
C:\DOCUME~1\Nick\LOCALS~1\Temp\removalfile.bat - Deleted
C:\WINDOWS\b104.exe - Deleted
C:\WINDOWS\b122.exe - Deleted
C:\WINDOWS\b128.exe - Deleted
C:\WINDOWS\b138.exe - Deleted
C:\WINDOWS\b147.exe - Deleted
C:\WINDOWS\mrofinu1000106.exe - Deleted
C:\WINDOWS\mrofinu572.exe - Deleted
C:\WINDOWS\system32\atmtd.dll - Deleted
C:\WINDOWS\system32\atmtd.dll._ - Deleted
C:\WINDOWS\system32\vtr.dll - Deleted
C:\WINDOWS\uninstall_nmon.vbs - Deleted
Folder C:\Program Files\Network Monitor - Removed
Folder C:\Program Files\Temporary - Removed
Folder C:\Program Files\WinAble - Removed
Folder C:\Temp\1cb - Removed
Folder C:\WINDOWS\system32\m2 - Removed
Folder C:\WINDOWS\system32\o1 - Removed
Folder C:\WINDOWS\system32\v4 - Removed
Removing Temp Files...
ADS Check:
C:\WINDOWS
No streams found.
C:\WINDOWS\system32
No streams found.
C:\WINDOWS\system32\svchost.exe
No streams found.
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.
Final Check:
catchme 0.3.1262.1 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 16:08:01
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services & system hive ...
scanning hidden registry entries ...
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{71D1B179-60CC-24A1-F3C4-59F353586380}]
scanning hidden files ...
C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Messenger\m4pl3fr33k@hotmail.com\SharingMetadata\lazydude3@hotmail.com\DFSR\Staging\CS{A1725DA5-7CEE-146E-4793-13F553E2AB58}\01\10-{A1725DA5-7CEE-146E-4793-13F553E2AB58}-v1-{32929220-CE4F-4EFB-80DF-7101E1653E58}-v10-Downloaded.frx:{59828bbb-3f72-4c1b-a420-b51ad66eb5d3}.XPRESS 8 bytes hidden from API
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 1
Remaining Services:
Authorized Application Key Export:
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\Messenger\\msmsgs.exe"="C:\\Program Files\\Messenger\\msmsgs.exe:*:Enabled:Windows Messenger"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"C:\\Program Files\\LegacyGamers\\GunZ Online\\GunZLauncher.exe"="C:\\Program Files\\LegacyGamers\\GunZ Online\\GunZLauncher.exe:*:Disabled:Gunz"
"C:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE"="C:\\Program Files\\Symantec\\LiveUpdate\\LuComServer.EXE:*:Enabled:LiveUpdate Engine COM Module"
"C:\\Program Files\\LegacyGamers International Gaming Community\\LegacyGamers GunZ Online\\Gunz.exe"="C:\\Program Files\\LegacyGamers International Gaming Community\\LegacyGamers GunZ Online\\Gunz.exe:*:Enabled:Gunz"
"C:\\Nexon\\MapleStory\\MapleStory.exe"="C:\\Nexon\\MapleStory\\MapleStory.exe:*:Enabled:MapleStory"
"C:\\Nexon\\MapleStory\\Patcher.exe"="C:\\Nexon\\MapleStory\\Patcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Nexon\\MapleStory\\NewPatcher.exe"="C:\\Nexon\\MapleStory\\NewPatcher.exe:*:Enabled:Patcher MFC ?? ????"
"C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\Gunz.exe"="C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\Gunz.exe:*:Enabled:Gunz"
"C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\LegacyGamers.exe"="C:\\Program Files\\LegacyGamers\\LegacyGamers GunZ Online\\LegacyGamers.exe:*:Disabled:Gunz"
"C:\\Program Files\\GameFlier\\GhostOnline\\game.exe"="C:\\Program Files\\GameFlier\\GhostOnline\\game.exe:*:Enabled:game"
"C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe"="C:\\Documents and Settings\\All Users\\Application Data\\NexonUS\\NGM\\NGM.exe:*:Enabled:Nexon Game Manager"
"C:\\Nexon\\KartRider\\NMService.exe"="C:\\Nexon\\KartRider\\NMService.exe:*:Enabled:Nexon Messenger Core"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\WINDOWS\\system32\\elkjfirl.exe"="C:\\WINDOWS\\system32\\elk"
[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
Remaining Files:
File Backups: - C:\DOCUME~1\Nick\Desktop\Maple\SDFix\backups\backups.zip
Files with Hidden Attributes:
Mon 5 Nov 2007 286,899 ..SH. --- "C:\WINDOWS\system32\jlkkj.tmp"
Mon 29 Oct 2007 6,470 ..SH. --- "C:\WINDOWS\system32\jlkkj.bak1"
Thu 15 Nov 2007 291,398 ..SH. --- "C:\WINDOWS\system32\jlkkj.bak2"
Thu 15 Nov 2007 20,768 ..SH. --- "C:\WINDOWS\system32\nsbhujkm.dllbox"
Sun 10 Jun 2007 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico1.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico2.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico3.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico4.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico5.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico8.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\ico9.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\icoA.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\icoB.tmp"
Thu 15 Nov 2007 4,286 A..H. --- "C:\Documents and Settings\Nick\Local Settings\Temp\icoC.tmp"
Finished!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:40, on 2007-11-15
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\nsbhujkm.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\ppsquikg.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - AppInit_DLLs: hadjajr.ini
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 4717 bytes
oh btw the wierd yellow triangle thing is not gone still D:
Please reboot to Safe Mode (tap the F8 key just before Windows starts to load and select the Safe Mode option from the menu).
Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.exe:
- Select Option #2 - Clean by typing 2 and press "Enter" to delete infected files.
- You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
- The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
- The tool may need to restart your computer to finish the cleaning process. If it doesn't, please restart it into Normal Windows.
- A text file will appear onscreen, with results from the cleaning process. Please copy/paste the content of that report into your next reply.
WARNING: Running Option #2 on a non-infected computer will remove your Desktop background.Please download VundoFix.exe to your desktop.
- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.
- Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove.In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
Delete combofix.exe from your desktop. Download & save a new copy to your desktop
Download combofix from
Link
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
After you have completed the above, please provide:
SmitfraudFix.report
C:\vundofix.txt
C:\Combofix.txt
new HijackThis log
SmitFraudFix v2.253
Scan done at 5:13:08.48, 2007-11-16
Run from C:\Documents and Settings\Nick\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
C:\WINDOWS\Tasks\At?.job Deleted
C:\WINDOWS\Tasks\At??.job Deleted
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{610B1665-BD37-4571-9E01-D685CF55FD23}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{911AD1F8-2BE7-4817-86D2-B667F0C87355}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
now please wait abit more i need to do the other steps
VundoFix V6.6.1
Checking Java version...
Sun Java not detected
Scan started at 05:24:03 2007-11-16
Listing files found while scanning....
C:\windows\system32\gebbcde.dll
C:\WINDOWS\system32\nsbhujkm.dll
Beginning removal...
Attempting to delete C:\windows\system32\gebbcde.dll
C:\windows\system32\gebbcde.dll Could not be deleted.
Attempting to delete C:\WINDOWS\system32\nsbhujkm.dll
C:\WINDOWS\system32\nsbhujkm.dll Has been deleted!
Performing Repairs to the registry.
Done!
Beginning removal...
Attempting to delete C:\windows\system32\gebbcde.dll
C:\windows\system32\gebbcde.dll Has been deleted!
Performing Repairs to the registry.
Done!
now just the ComboFix and HJT log to go
ComboFix 07-11-08.1 - Nick 2007-11-16 6:08:03.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.241 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Nick\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ccbeg.bak1
C:\WINDOWS\system32\ccbeg.bak2
C:\WINDOWS\system32\ccbeg.ini
C:\WINDOWS\system32\ccbeg.ini2
C:\WINDOWS\system32\ccbeg.tmp
C:\WINDOWS\system32\gebcc.dll
C:\WINDOWS\system32\hnfqjntk.dllbox
C:\WINDOWS\system32\nsbhujkm.dllbox
.
---- Previous Run
.
C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Nick\Application Data.\AVSystemCare
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\avtasks.dat
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\Logs\av.log
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\Logs\ga6Support.log
C:\Documents and Settings\Nick\Application Data.\AVSystemCare\PGE.dat
C:\Documents and Settings\Nick\Application Data\APPATC~1
C:\Documents and Settings\Nick\Application Data\SCURIT~1
C:\Documents and Settings\Nick\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Nick\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Nick\Favorites\Online Security Guide.lnk
C:\UGA6P
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\elkjfirl.exe
C:\WINDOWS\system32\jkklj.dll
C:\WINDOWS\system32\jlkkj.bak1
C:\WINDOWS\system32\jlkkj.bak2
C:\WINDOWS\system32\jlkkj.ini
C:\WINDOWS\system32\jlkkj.ini2
C:\WINDOWS\system32\jlkkj.tmp
C:\WINDOWS\system32\joydxlxr.exe
C:\WINDOWS\system32\lmlxjqwl.dll
C:\WINDOWS\system32\nggobphm.exe
C:\WINDOWS\system32\nsbhujkm.dllbox
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rqkngtob.exe
C:\WINDOWS\system32\siljsuey.exe
C:\WINDOWS\system32\sxaavsmu.exe
C:\WINDOWS\system32\sysdl132.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\LEGACY_DOMAINSERVICE
\DomainService
\LEGACY_DOMAINSERVICE
\DomainService
((((((((((((((((((((((((( Files Created from 2007-10-16 to 2007-11-16 )))))))))))))))))))))))))))))))
.
2007-11-16 05:50 85,056 --a
C:\WINDOWS\system32\devtyxry.dll
2007-11-16 05:46 81,984 --a
C:\WINDOWS\system32\fmgnhrmd.dll
2007-11-16 05:42 144,480 --a
C:\WINDOWS\system32\hnfqjntk.dll
2007-11-16 05:41 144,480 --a
C:\WINDOWS\system32\vbjyobmb.dll
2007-11-16 05:41 71,232 --a
C:\WINDOWS\system32\fpqrcbvx.exe
2007-11-16 05:24 <DIR> d
C:\VundoFix Backups
2007-11-16 05:22 81,984 --a
C:\WINDOWS\system32\dujfyjnx.dll
2007-11-16 05:20 71,232 --a
C:\WINDOWS\system32\tlyltfye.exe
2007-11-16 03:23 81,984 --a
C:\WINDOWS\system32\wufvkjxs.dll
2007-11-16 03:20 85,056 --a
C:\WINDOWS\system32\kfgtkndd.dll
2007-11-16 03:14 71,232 --a
C:\WINDOWS\system32\wilwvlhf.exe
2007-11-15 16:16 51,200 --a
C:\WINDOWS\NirCmd.exe
2007-11-15 16:04 71,232 --a
C:\WINDOWS\system32\acpbrdmw.exe
2007-11-15 15:48 <DIR> d
C:\WINDOWS\ERUNT
2007-11-15 15:40 289,144 --a
C:\WINDOWS\system32\VCCLSID.exe
2007-11-15 15:40 25,600 --a
C:\WINDOWS\system32\WS2Fix.exe
2007-11-15 15:30 16,324 --a
C:\WINDOWS\system32\instdump.zip
2007-11-15 15:17 71,232 --a
C:\WINDOWS\system32\gjbxnrti.exe
2007-11-15 04:50 79,936 --a
C:\WINDOWS\system32\cwbeecpn.dll
2007-11-15 04:44 71,232 --a
C:\WINDOWS\system32\vfabkhgm.exe
2007-11-14 20:31 184,320 --a
C:\WINDOWS\system32\aH8QuNgy.dll
2007-11-14 20:13 71,232 --a
C:\WINDOWS\system32\xtyxqcfj.exe
2007-11-14 17:16 71,232 --a
C:\WINDOWS\system32\rwakukog.exe
2007-11-14 15:40 85,056 --a
C:\WINDOWS\system32\eqmlgobv.dll
2007-11-14 15:38 71,232 --a
C:\WINDOWS\system32\ccqjklym.exe
2007-11-14 15:22 <DIR> d
C:\Program Files\Trend Micro
2007-11-14 15:18 71,232 --a
C:\WINDOWS\system32\ecnjivgm.exe
2007-11-13 19:56 85,056 --a
C:\WINDOWS\system32\nlmqmtky.dll
2007-11-13 19:50 71,232 --a
C:\WINDOWS\system32\wxkxutpj.exe
2007-11-13 18:17 85,056 --a
C:\WINDOWS\system32\ixtfpjqq.dll
2007-11-13 18:13 71,232 --a
C:\WINDOWS\system32\mmuoxhph.exe
2007-11-13 15:17 71,232 --a
C:\WINDOWS\system32\gotlvgdt.exe
2007-11-12 20:15 184,320 --a
C:\WINDOWS\system32\M16Lc7vs.dll
2007-11-12 20:07 89,664 --a
C:\WINDOWS\system32\kyxfhbpl.dll
2007-11-12 20:04 71,232 --a
C:\WINDOWS\system32\bxlvsyjo.exe
2007-11-12 17:06 71,232 --a
C:\WINDOWS\system32\wboqsqat.exe
2007-11-12 12:41 71,232 --a
C:\WINDOWS\system32\xhvratle.exe
2007-11-12 12:11 <DIR> d
C:\WINDOWS\system32\rMa01yy
2007-11-12 12:10 <DIR> d
C:\Temp\abW9
2007-11-12 12:10 35,328 --a
C:\WINDOWS\system32\mljklji.dll
2007-11-12 12:06 144,480 --a
C:\WINDOWS\system32\ikdmoaco.dll
2007-11-12 12:00 71,232 --a
C:\WINDOWS\system32\nrhjvoip.exe
2007-11-12 10:23 71,232 --a
C:\WINDOWS\system32\etfprvfo.exe
2007-11-12 10:01 71,232 --a
C:\WINDOWS\system32\pfvsnkaf.exe
2007-11-12 09:35 71,232 --a
C:\WINDOWS\system32\bndbbhds.exe
2007-11-11 19:10 71,232 --a
C:\WINDOWS\system32\bchdajyc.exe
2007-11-11 18:03 71,232 --a
C:\WINDOWS\system32\ihuehoxi.exe
2007-11-11 17:30 88,128 --a
C:\WINDOWS\system32\rvyrkbxk.dll
2007-11-11 17:25 71,232 --a
C:\WINDOWS\system32\wiyvrawi.exe
2007-11-11 17:15 71,232 --a
C:\WINDOWS\system32\kahfonla.exe
2007-11-11 15:16 88,128 --a
C:\WINDOWS\system32\lbebrimt.dll
2007-11-11 15:14 71,232 --a
C:\WINDOWS\system32\ntacqham.exe
2007-11-11 14:06 71,232 --a
C:\WINDOWS\system32\seulsrso.exe
2007-11-11 10:46 71,232 --a
C:\WINDOWS\system32\mhlfpyix.exe
2007-11-10 17:30 184,320 --a
C:\WINDOWS\system32\smtPbiTI.dll
2007-11-10 17:20 71,232 --a
C:\WINDOWS\system32\vhtrwtxd.exe
2007-11-10 14:34 71,232 --a
C:\WINDOWS\system32\pndwxtmt.exe
2007-11-10 12:40 71,232 --a
C:\WINDOWS\system32\bqcxefyd.exe
2007-11-10 12:22 71,232 --a
C:\WINDOWS\system32\yhqdxfgp.exe
2007-11-10 12:14 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a
C:\WINDOWS\system32\msvcr80.dll
2007-11-10 09:31 71,232 --a
C:\WINDOWS\system32\vqcxvvmg.exe
2007-11-09 15:18 71,232 --a
C:\WINDOWS\system32\mcbrmyfh.exe
2007-11-08 15:15 71,232 --a
C:\WINDOWS\system32\ysjtolre.exe
2007-11-07 20:40 35,328 --a
C:\WINDOWS\system32\cbxwtrr.dll
2007-11-07 20:36 35,328 --a
C:\WINDOWS\system32\iifdecc.dll
2007-11-07 20:27 71,232 --a
C:\WINDOWS\system32\ylpgyare.exe
2007-11-07 19:49 71,232 --a
C:\WINDOWS\system32\swojaywi.exe
2007-11-05 18:27 1,060,864 --a
C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a
C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a
C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a
C:\WINDOWS\system32\msxml3a.dll
2007-11-05 17:11 36,352 --a
C:\WINDOWS\system32\iiiiiii.dll
2007-11-05 17:07 <DIR> d
C:\WINDOWS\Tmljaw
2007-11-05 17:07 <DIR> d
C:\WINDOWS\system32\Mz02r
2007-11-05 17:07 <DIR> d
C:\Temp\mZOr
2007-11-05 17:07 <DIR> d
C:\Temp
2007-11-05 17:07 36,352 --a
C:\WINDOWS\system32\yayvvvt.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 00:38
d
w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-15 00:35
d
w C:\Program Files\mIRC
2007-11-09 20:28 27,200 ----a-w C:\WINDOWS\system32\65f475kH.exe
2007-10-19 12:57
d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11
d
w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 20:03
d
w C:\Program Files\Common Files\Adobe
2007-10-12 20:03
d
w C:\Program Files\Bonjour
2007-10-12 19:43
d
w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42
d
w C:\Documents and Settings\All Users\Application Data\NexonUS
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2007-11-15_16.36.49.40"]snapshot@2007-11-15_16.36.49.40[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-15 21:07:10 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-16 10:46:00 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-15 21:07:10 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-16 10:46:01 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55F7CA4F-0E86-4BF5-8543-980DEE13AE31}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}]
2007-11-14 20:31 184320 --a
C:\WINDOWS\system32\aH8QuNgy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{869a335d-ecc9-4ad8-8dd5-62d6e76d3037}]
2007-11-16 05:46 81984 --a
C:\WINDOWS\system32\fmgnhrmd.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-16 05:42 144480 --a
C:\WINDOWS\system32\hnfqjntk.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\hnfqjntk.dll [2007-11-16 05:42 144480]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hnfqjntk]
hnfqjntk.dll 2007-11-16 05:42 144480 C:\WINDOWS\system32\hnfqjntk.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\gebcc.dll
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 CEDRIVER53;CEDRIVER53;\??\C:\Program Files\Cheat Engine\dbk32.sys
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
S3 krdpdre;krdpdre;\??\C:\DOCUME~1\Nick\LOCALS~1\Temp\krdpdre.sys
S3 XDva031;XDva031;\??\C:\WINDOWS\system32\XDva031.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-16 08:30:02 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-16 11:20:42 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 06:20:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 6:24:21 - machine was rebooted
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:39 AM, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {55F7CA4F-0E86-4BF5-8543-980DEE13AE31} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\aH8QuNgy.dll
O2 - BHO: {7303d67e-6d26-5dd8-8da4-9cced533a968} - {869a335d-ecc9-4ad8-8dd5-62d6e76d3037} - C:\WINDOWS\system32\fmgnhrmd.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hnfqjntk.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hnfqjntk.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O20 - Winlogon Notify: hnfqjntk - C:\WINDOWS\SYSTEM32\hnfqjntk.dll
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 5489 bytes
and still again the yello sign didnt remove D: zomg getting mad
Did you run combofix from user account which has administrator rights?
IMPORTANT You must be logged onto an account with administrator privileges
Run HijackThis
Click on the Scan button
Put a check beside all of the items listed below (if present):
O2 - BHO: (no name) - {55F7CA4F-0E86-4BF5-8543-980DEE13AE31} - \
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file
O2 - BHO: WebAssist - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\system32\aH8QuNgy.dll
O2 - BHO: {7303d67e-6d26-5dd8-8da4-9cced533a968} - {869a335d-ecc9-4ad8-8dd5-62d6e76d3037} - C:\WINDOWS\system32\fmgnhrmd.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\hnfqjntk.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\hnfqjntk.dll
O20 - Winlogon Notify: hnfqjntk - C:\WINDOWS\SYSTEM32\hnfqjntk.dll
Close all open windows and browsers/email, etc...
Click on the "Fix Checked" button
When completed, close the application.
Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\WINDOWS\system32\devtyxry.dll C:\WINDOWS\system32\fmgnhrmd.dll C:\WINDOWS\system32\hnfqjntk.dll C:\WINDOWS\system32\vbjyobmb.dll C:\WINDOWS\system32\fpqrcbvx.exe C:\WINDOWS\system32\dujfyjnx.dll C:\WINDOWS\system32\tlyltfye.exe C:\WINDOWS\system32\wufvkjxs.dll C:\WINDOWS\system32\kfgtkndd.dll C:\WINDOWS\system32\wilwvlhf.exe C:\WINDOWS\system32\acpbrdmw.exe C:\WINDOWS\system32\VCCLSID.exe C:\WINDOWS\system32\gjbxnrti.exe C:\WINDOWS\system32\cwbeecpn.dll C:\WINDOWS\system32\vfabkhgm.exe C:\WINDOWS\system32\aH8QuNgy.dll C:\WINDOWS\system32\xtyxqcfj.exe C:\WINDOWS\system32\rwakukog.exe C:\WINDOWS\system32\eqmlgobv.dll C:\WINDOWS\system32\ccqjklym.exe C:\WINDOWS\system32\ecnjivgm.exe C:\WINDOWS\system32\nlmqmtky.dll C:\WINDOWS\system32\wxkxutpj.exe C:\WINDOWS\system32\ixtfpjqq.dll C:\WINDOWS\system32\mmuoxhph.exe C:\WINDOWS\system32\gotlvgdt.exe C:\WINDOWS\system32\M16Lc7vs.dll C:\WINDOWS\system32\kyxfhbpl.dll C:\WINDOWS\system32\bxlvsyjo.exe C:\WINDOWS\system32\wboqsqat.exe C:\WINDOWS\system32\xhvratle.exe C:\WINDOWS\system32\mljklji.dll C:\WINDOWS\system32\ikdmoaco.dll C:\WINDOWS\system32\nrhjvoip.exe C:\WINDOWS\system32\etfprvfo.exe C:\WINDOWS\system32\pfvsnkaf.exe C:\WINDOWS\system32\bndbbhds.exe C:\WINDOWS\system32\bchdajyc.exe C:\WINDOWS\system32\ihuehoxi.exe C:\WINDOWS\system32\rvyrkbxk.dll C:\WINDOWS\system32\wiyvrawi.exe C:\WINDOWS\system32\kahfonla.exe C:\WINDOWS\system32\lbebrimt.dll C:\WINDOWS\system32\ntacqham.exe C:\WINDOWS\system32\seulsrso.exe C:\WINDOWS\system32\mhlfpyix.exe C:\WINDOWS\system32\smtPbiTI.dll C:\WINDOWS\system32\vhtrwtxd.exe C:\WINDOWS\system32\pndwxtmt.exe C:\WINDOWS\system32\bqcxefyd.exe C:\WINDOWS\system32\yhqdxfgp.exe C:\WINDOWS\system32\vqcxvvmg.exe C:\WINDOWS\system32\mcbrmyfh.exe C:\WINDOWS\system32\ysjtolre.exe C:\WINDOWS\system32\cbxwtrr.dll C:\WINDOWS\system32\iifdecc.dll C:\WINDOWS\system32\ylpgyare.exe C:\WINDOWS\system32\swojaywi.exe C:\WINDOWS\system32\iiiiiii.dll C:\WINDOWS\system32\yayvvvt.dll C:\WINDOWS\system32\65f475kH.exe C:\DOCUME~1\Nick\LOCALS~1\Temp \krdpdre.sys Folder:: C:\WINDOWS\system32\rMa01yy C:\Temp C:\WINDOWS\Tmljaw C:\WINDOWS\system32\Mz02r Driver:: krdpdre Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55F7CA4F-0E86-4BF5-8543-980DEE13AE31}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85589B5D-D53D-4237-A677-46B82EA275F3}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{869a335d-ecc9-4ad8-8dd5-62d6e76d3037}] [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar] "{11A69AE4-FBED-4832-A2BF-45AF82825583}"=- [-HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}] [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hnfqjntk] [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00Save this as "CFScript"Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot),
Download F-Secure Blacklight (fsbl.exe) to the desktop from here
Open it and click Accept Agreement.
Click Scan.
After the scan is complete, click Next, then Exit.
It will create a log on the desktop named fsbl-xxxxxxx.log (the xxxxxxx will be the date and time of the scan)
Save the log to your desktop.
So in your next reply, please include the following:
Combofix.txt
fsbl.log
new HijackThis log
Please let me know how your pc is now.
ComboFix 07-11-08.1 - Nick 2007-11-16 21:55:02.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\DOCUME~1\Nick\LOCALS~1\Temp \krdpdre.sys
C:\WINDOWS\system32\65f475kH.exe
C:\WINDOWS\system32\acpbrdmw.exe
C:\WINDOWS\system32\aH8QuNgy.dll
C:\WINDOWS\system32\bchdajyc.exe
C:\WINDOWS\system32\bndbbhds.exe
C:\WINDOWS\system32\bqcxefyd.exe
C:\WINDOWS\system32\bxlvsyjo.exe
C:\WINDOWS\system32\cbxwtrr.dll
C:\WINDOWS\system32\ccqjklym.exe
C:\WINDOWS\system32\cwbeecpn.dll
C:\WINDOWS\system32\devtyxry.dll
C:\WINDOWS\system32\dujfyjnx.dll
C:\WINDOWS\system32\ecnjivgm.exe
C:\WINDOWS\system32\eqmlgobv.dll
C:\WINDOWS\system32\etfprvfo.exe
C:\WINDOWS\system32\fmgnhrmd.dll
C:\WINDOWS\system32\fpqrcbvx.exe
C:\WINDOWS\system32\gjbxnrti.exe
C:\WINDOWS\system32\gotlvgdt.exe
C:\WINDOWS\system32\hnfqjntk.dll
C:\WINDOWS\system32\ihuehoxi.exe
C:\WINDOWS\system32\iifdecc.dll
C:\WINDOWS\system32\iiiiiii.dll
C:\WINDOWS\system32\ikdmoaco.dll
C:\WINDOWS\system32\ixtfpjqq.dll
C:\WINDOWS\system32\kahfonla.exe
C:\WINDOWS\system32\kfgtkndd.dll
C:\WINDOWS\system32\kyxfhbpl.dll
C:\WINDOWS\system32\lbebrimt.dll
C:\WINDOWS\system32\M16Lc7vs.dll
C:\WINDOWS\system32\mcbrmyfh.exe
C:\WINDOWS\system32\mhlfpyix.exe
C:\WINDOWS\system32\mljklji.dll
C:\WINDOWS\system32\mmuoxhph.exe
C:\WINDOWS\system32\nlmqmtky.dll
C:\WINDOWS\system32\nrhjvoip.exe
C:\WINDOWS\system32\ntacqham.exe
C:\WINDOWS\system32\pfvsnkaf.exe
C:\WINDOWS\system32\pndwxtmt.exe
C:\WINDOWS\system32\rvyrkbxk.dll
C:\WINDOWS\system32\rwakukog.exe
C:\WINDOWS\system32\seulsrso.exe
C:\WINDOWS\system32\smtPbiTI.dll
C:\WINDOWS\system32\swojaywi.exe
C:\WINDOWS\system32\tlyltfye.exe
C:\WINDOWS\system32\vbjyobmb.dll
C:\WINDOWS\system32\VCCLSID.exe
C:\WINDOWS\system32\vfabkhgm.exe
C:\WINDOWS\system32\vhtrwtxd.exe
C:\WINDOWS\system32\vqcxvvmg.exe
C:\WINDOWS\system32\wboqsqat.exe
C:\WINDOWS\system32\wilwvlhf.exe
C:\WINDOWS\system32\wiyvrawi.exe
C:\WINDOWS\system32\wufvkjxs.dll
C:\WINDOWS\system32\wxkxutpj.exe
C:\WINDOWS\system32\xhvratle.exe
C:\WINDOWS\system32\xtyxqcfj.exe
C:\WINDOWS\system32\yayvvvt.dll
C:\WINDOWS\system32\yhqdxfgp.exe
C:\WINDOWS\system32\ylpgyare.exe
C:\WINDOWS\system32\ysjtolre.exe
.
Unable to gain System Privileges
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\NetworkService\Application Data\NetMon
C:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
C:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
C:\Documents and Settings\Nick\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Nick\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Nick\Favorites\Online Security Guide.lnk
C:\Program Files\ttx.exe
C:\Temp
C:\Temp\abW9\tOasF.log
C:\Temp\abW9\tPho.log
C:\Temp\mZOr\tOasF.log
C:\WINDOWS\system32\65f475kH.exe
C:\WINDOWS\system32\acpbrdmw.exe
C:\WINDOWS\system32\aH8QuNgy.dll
C:\WINDOWS\system32\bchdajyc.exe
C:\WINDOWS\system32\bndbbhds.exe
C:\WINDOWS\system32\bqcxefyd.exe
C:\WINDOWS\system32\bxlvsyjo.exe
C:\WINDOWS\system32\cbxwtrr.dll
C:\WINDOWS\system32\ccqjklym.exe
C:\WINDOWS\system32\cwbeecpn.dll
C:\WINDOWS\system32\ddcawxy.dll
C:\WINDOWS\system32\devtyxry.dll
C:\WINDOWS\system32\dujfyjnx.dll
C:\WINDOWS\system32\ecnjivgm.exe
C:\WINDOWS\system32\eqmlgobv.dll
C:\WINDOWS\system32\etfprvfo.exe
C:\WINDOWS\system32\fmgnhrmd.dll
C:\WINDOWS\system32\fpqrcbvx.exe
C:\WINDOWS\system32\gjbxnrti.exe
C:\WINDOWS\system32\gjkmp.bak1
C:\WINDOWS\system32\gjkmp.bak2
C:\WINDOWS\system32\gjkmp.ini
C:\WINDOWS\system32\gotlvgdt.exe
C:\WINDOWS\system32\hnfqjntk.dll
C:\WINDOWS\system32\hnfqjntk.dllbox
C:\WINDOWS\system32\ihuehoxi.exe
C:\WINDOWS\system32\iifdecc.dll
C:\WINDOWS\system32\iiiiiii.dll
C:\WINDOWS\system32\ikdmoaco.dll
C:\WINDOWS\system32\ixtfpjqq.dll
C:\WINDOWS\system32\kahfonla.exe
C:\WINDOWS\system32\kfgtkndd.dll
C:\WINDOWS\system32\kyxfhbpl.dll
C:\WINDOWS\system32\lbebrimt.dll
C:\WINDOWS\system32\M16Lc7vs.dll
C:\WINDOWS\system32\mcbrmyfh.exe
C:\WINDOWS\system32\mhlfpyix.exe
C:\WINDOWS\system32\mljklji.dll
C:\WINDOWS\system32\mmuoxhph.exe
C:\WINDOWS\system32\Mz02r
C:\WINDOWS\system32\Mz02r\Mz02r1065.exe
C:\WINDOWS\system32\nlmqmtky.dll
C:\WINDOWS\system32\nrhjvoip.exe
C:\WINDOWS\system32\ntacqham.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pfvsnkaf.exe
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\pndwxtmt.exe
C:\WINDOWS\system32\rMa01yy
C:\WINDOWS\system32\rMa01yy\rMa01yy1065.exe
C:\WINDOWS\system32\rvyrkbxk.dll
C:\WINDOWS\system32\rwakukog.exe
C:\WINDOWS\system32\seulsrso.exe
C:\WINDOWS\system32\smtPbiTI.dll
C:\WINDOWS\system32\swojaywi.exe
C:\WINDOWS\system32\tlyltfye.exe
C:\WINDOWS\system32\vbjyobmb.dll
C:\WINDOWS\system32\vfabkhgm.exe
C:\WINDOWS\system32\vhtrwtxd.exe
C:\WINDOWS\system32\vqcxvvmg.exe
C:\WINDOWS\system32\wboqsqat.exe
C:\WINDOWS\system32\wilwvlhf.exe
C:\WINDOWS\system32\winnb58.dll
C:\WINDOWS\system32\wiyvrawi.exe
C:\WINDOWS\system32\wufvkjxs.dll
C:\WINDOWS\system32\wxkxutpj.exe
C:\WINDOWS\system32\xhvratle.exe
C:\WINDOWS\system32\xtyxqcfj.exe
C:\WINDOWS\system32\yayvvvt.dll
C:\WINDOWS\system32\yhqdxfgp.exe
C:\WINDOWS\system32\ylpgyare.exe
C:\WINDOWS\system32\ysjtolre.exe
C:\WINDOWS\Tmljaw
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\LEGACY_DOMAINSERVICE
\LEGACY_KRDPDRE
\DomainService
\krdpdre
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.
2007-11-16 21:51 184,320 --a
C:\WINDOWS\system32\wQv3B07G.dll
2007-11-16 21:47 82,496 --a
C:\WINDOWS\system32\jlicfnth.dll
2007-11-16 21:41 85,056 --a
C:\WINDOWS\system32\ucvvpnqc.dll
2007-11-16 21:39 71,232 --a
C:\WINDOWS\system32\bmjdseop.exe
2007-11-16 07:27 <DIR> d--h
C:\Program Files\InstallJammer Registry
2007-11-16 07:26 <DIR> d
C:\Program Files\Brittle Bullet - Private Gunz Server
2007-11-16 06:49 <DIR> d
C:\WINDOWS\system32\uu2
2007-11-16 06:49 <DIR> d
C:\WINDOWS\system32\rr2
2007-11-16 06:49 <DIR> d
C:\WINDOWS\system32\cc1
2007-11-16 05:24 <DIR> d
C:\VundoFix Backups
2007-11-15 16:16 51,200 --a
C:\WINDOWS\NirCmd.exe
2007-11-15 15:48 <DIR> d
C:\WINDOWS\ERUNT
2007-11-15 15:30 16,324 --a
C:\WINDOWS\system32\instdump.zip
2007-11-14 15:22 <DIR> d
C:\Program Files\Trend Micro
2007-11-10 12:14 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a
C:\WINDOWS\system32\msvcr80.dll
2007-11-05 18:27 1,060,864 --a
C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a
C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a
C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a
C:\WINDOWS\system32\msxml3a.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 00:38
d
w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-15 00:35
d
w C:\Program Files\mIRC
2007-10-19 12:57
d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11
d
w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 20:03
d
w C:\Program Files\Common Files\Adobe
2007-10-12 20:03
d
w C:\Program Files\Bonjour
2007-10-12 19:43
d
w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42
d
w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
.
((((((((((((((((((((((((((((( [EMAIL="snapshot@2007-11-15_16.36.49.40"]snapshot@2007-11-15_16.36.49.40[/EMAIL] )))))))))))))))))))))))))))))))))))))))))
.
- 2007-11-08 21:59:01 136,704 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-29 23:56:19 136,192 ----a-w C:\WINDOWS\catchme.exe
- 2007-11-15 20:48:29 3,207,168 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
+ 2007-11-16 12:04:45 3,235,840 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000001\NTUSER.DAT
- 2007-11-15 20:48:29 81,920 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-11-16 12:04:45 81,920 ----a-w C:\WINDOWS\ERUNT\SDFIX\Users\00000002\UsrClass.dat
+ 2007-08-14 22:22:50 25,105 ----a-w C:\WINDOWS\system32\cc1\dnslook11.exe
- 2007-11-15 21:07:10 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-11-17 02:42:42 40,108 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-15 21:07:10 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-17 02:42:42 311,912 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-11-15 11:32:34 9,814 ----a-w C:\WINDOWS\system32\rr2\bemwdll3.exe
- 2006-01-09 14:36:06 40,960 ----a-w C:\WINDOWS\system32\swsc.exe
+ 2006-11-29 22:21:29 370,688 ----a-w C:\WINDOWS\system32\swsc.exe
- 2006-12-01 10:20:34 79,360 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2006-12-01 10:20:32 212,480 ----a-w C:\WINDOWS\system32\swxcacls.exe
+ 2007-08-03 01:44:02 169,147 ----a-w C:\WINDOWS\system32\uu2\mper83122.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9432f445-c71d-4573-95e8-deb6b26fe756}]
2007-11-16 21:47 82496 --a
C:\WINDOWS\system32\jlicfnth.dll
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}"= C:\WINDOWS\system32\WinNB58.dll [ ]
[HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}]
[HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
"50da98e0"="C:\WINDOWS\system32\ucvvpnqc.dll" [2007-11-16 21:41]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\pmkjg.dll
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 CEDRIVER53;CEDRIVER53;\??\C:\Program Files\Cheat Engine\dbk32.sys
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 dump_wmimmc;dump_wmimmc;\??\C:\Nexon\MapleStory\GameGuard\dump_wmimmc.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
S3 XDva031;XDva031;\??\C:\WINDOWS\system32\XDva031.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-16 08:30:02 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-17 03:12:13 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-16 22:12:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-16 22:13:58
C:\ComboFix2.txt ... 2007-11-16 06:24
.
--- E O F ---
11/16/07 22:17:36 [Info]: BlackLight Engine 1.0.67 initialized
11/16/07 22:17:36 [Info]: OS: 5.1 build 2600 (Service Pack 2)
11/16/07 22:17:37 [Note]: 7019 4
11/16/07 22:17:37 [Note]: 7005 0
11/16/07 22:17:41 [Note]: 7006 0
11/16/07 22:17:41 [Note]: 7011 3548
11/16/07 22:17:42 [Note]: 7026 0
11/16/07 22:17:42 [Note]: 7026 0
11/16/07 22:17:49 [Note]: FSRAW library version 1.7.1024
11/16/07 22:19:55 [Note]: 7007 0
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:21:53 PM, on 16/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {657ef62b-6bed-8e59-3754-d17c544f2349} - {9432f445-c71d-4573-95e8-deb6b26fe756} - C:\WINDOWS\system32\jlicfnth.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\ucvvpnqc.dll",b
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 4899 bytes
and yea thank you soo much peku006 the wierd pop ups and the triangle thing are all gone and my computer is faster again! Once again thank you peku006 your the greatest
O2 - BHO: {657ef62b-6bed-8e59-3754-d17c544f2349} - {9432f445-c71d-4573-95e8-deb6b26fe756} - C:\WINDOWS\system32\jlicfnth.dll
O4 - HKLM\..\Run: [50da98e0] rundll32.exe "C:\WINDOWS\system32\ucvvpnqc.dll",b
Open notepad and copy/paste the text in the quotebox below into it:
File:: C:\WINDOWS\system32\wQv3B07G.dll C:\WINDOWS\system32\jlicfnth.dll C:\WINDOWS\system32\ucvvpnqc.dll C:\WINDOWS\system32\bmjdseop.exe C:\WINDOWS\system32\pmkjg.dll C:\Program Files\Cheat Engine\dbk32.sys C:\Nexon\MapleStory\Ga meGuard\dump_wmimmc.sys C:\WINDOWS\system32\XDva031.sys Folder:: C:\WINDOWS\system32\uu2 C:\WINDOWS\system32\rr2 C:\WINDOWS\system32\cc1 Driver:: CEDRIVER53 dump_wmimmc XDva031 Registry:: [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9432f445-c71d-4573-95e8-deb6b26fe756}] [-HKEY_CLASSES_ROOT\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}] [-HKEY_CLASSES_ROOT\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}] [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "50da98e0"=- [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Contro l\Lsa] "Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00Save this as "CFScript"Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot, (in case it asks to reboot)
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
Double-click ATF Cleaner.exe to open it.
Under Main choose:
Windows Temp
Current User Temp
All Users Temp
Cookies
Temporary Internet Files
Prefetch
Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Firefox:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Opera:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click NO at the prompt.
Click Exit on the Main menu to close the program.
Download AVG Anti-Spyware from HERE and save that file to your desktop. Note for AVG Free anti-virus users only: this is not the same program that you already have, this is an anti-spyware program.
When the trial period expires it becomes feature-limited freeware but is still worth keeping as a good on-demand scanner.
- Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double click it to launch the set up program.
- Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
- On the main screen select the icon "Update" then select the "Update now" link.
- Next select the "Start Update" button. The update will start and a progress bar will show the updates being installed.
- Once the update has completed, select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
- Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"
- Close AVG Anti-Spyware. Do Not run a scan just yet, we will run it in safe mode.
Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.Under "Reports"
IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning as it may interfere with the scanning process:
- Launch AVG Anti-Spyware by double clicking the icon on your desktop.
- Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
- Once the scan is complete, do the following:
- If you have any infections you will be prompted. Then select "Apply all actions."
- Next select the "Reports" icon at the top.
- Select the "Save report as" button in the lower left-hand of the screen and save it to a text file on your system (make sure to remember where you saved that file. This is important).
- Close AVG Anti-Spyware and reboot your system back into Normal Mode.
So in your next reply, please include the following:AVG will now begin the scanning process. Please be patient as this may take a little time.
Combofix.txt
AVG Anti-Spyware report
new HijackThis log
Heres my CF log:
ComboFix 07-11-08.1 - Nick 2007-11-17 7:43:59.7 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.316 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Nexon\MapleStory\Ga meGuard\dump_wmimmc.sys
C:\Program Files\Cheat Engine\dbk32.sys
C:\WINDOWS\system32\bmjdseop.exe
C:\WINDOWS\system32\jlicfnth.dll
C:\WINDOWS\system32\pmkjg.dll
C:\WINDOWS\system32\ucvvpnqc.dll
C:\WINDOWS\system32\wQv3B07G.dll
C:\WINDOWS\system32\XDva031.sys
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\bmjdseop.exe
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\cc1\dnslook11.exe
C:\WINDOWS\system32\rr2
C:\WINDOWS\system32\rr2\bemwdll3.exe
C:\WINDOWS\system32\ucvvpnqc.dll
C:\WINDOWS\system32\uu2
C:\WINDOWS\system32\uu2\mper83122.exe
C:\WINDOWS\system32\wQv3B07G.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
\LEGACY_CEDRIVER53
\LEGACY_DUMP_WMIMMC
\LEGACY_XDVA031
\CEDRIVER53
\XDva031
((((((((((((((((((((((((( Files Created from 2007-10-17 to 2007-11-17 )))))))))))))))))))))))))))))))
.
2007-11-16 07:27 <DIR> d--h
C:\Program Files\InstallJammer Registry
2007-11-15 16:16 51,200 --a
C:\WINDOWS\NirCmd.exe
2007-11-15 15:48 <DIR> d
C:\WINDOWS\ERUNT
2007-11-15 15:30 16,324 --a
C:\WINDOWS\system32\instdump.zip
2007-11-14 15:22 <DIR> d
C:\Program Files\Trend Micro
2007-11-10 12:14 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a
C:\WINDOWS\system32\msvcr80.dll
2007-11-05 18:27 1,060,864 --a
C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a
C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a
C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a
C:\WINDOWS\system32\msxml3a.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 00:38
d
w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-15 00:35
d
w C:\Program Files\mIRC
2007-10-19 12:57
d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11
d
w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 20:03
d
w C:\Program Files\Common Files\Adobe
2007-10-12 20:03
d
w C:\Program Files\Bonjour
2007-10-12 19:43
d
w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42
d
w C:\Documents and Settings\All Users\Application Data\NexonUS
2007-08-02 13:43 282,624 ----a-w C:\Program Files\TTC.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-17 08:30:00 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-17 12:48:28 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-17 07:48:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-17 7:49:49 - machine was rebooted
.
--- E O F ---
I need a new HijackThis log and AVG Anti-Spyware report too
AVG Anti-Spyware - Scan Report
+ Created at: 2:25:55 AM 18/11/2007
+ Scan result:
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374389.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374390.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376565.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376573.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376574.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382398.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382399.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383572.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383575.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383576.exe -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP30\A0195850.exe -> Backdoor.Agent.ark : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0327395.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0356719.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374395.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376583.exe -> Downloader.Adload.ni : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP26\A0175747.exe -> Downloader.Agent.bkw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374400.exe -> Downloader.Agent.cbx : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376570.exe -> Downloader.Agent.cbx : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0328068.EXE -> Downloader.Agent.ebm : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0318328.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0325105.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0327208.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0347462.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374402.exe -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376575.EXE -> Downloader.Agent.emo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0342109.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0356718.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374398.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376568.exe -> Downloader.Agent.erf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0347470.exe -> Downloader.Agent.fak : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0367460.exe -> Downloader.Agent.fak : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375430.exe -> Downloader.BHO.bo : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0328067.EXE -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374392.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374397.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376567.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376579.EXE -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387418.exe -> Downloader.Small.buy : Cleaned.
C:\qoobox\Quarantine\C\WINDOWS\system32\cc1\dnslook11.exe.vir -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0325104.exe -> Downloader.VB.bkw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384428.exe -> Downloader.VB.bkw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP23\A0165588.exe -> Not-A-Virus.HackTool.Win32.Delf.bw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374396.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376578.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382401.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383580.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@ssl-hints.netflame[1].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Nick\Cookies\nick@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320113.exe -> Trojan.Agent.crf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0347464.EXE -> Trojan.Agent.crf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0356876.EXE -> Trojan.Agent.crf : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0381561.dll -> Trojan.Magania.aqw : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320109.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0321151.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0329010.exe -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374391.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374406.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376577.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376581.VBS -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382400.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0382406.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383579.vbs -> Trojan.Small : Cleaned.
C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383582.VBS -> Trojan.Small : Cleaned.
::Report end
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:30:33 AM, on 18/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
C:\WINDOWS\Mixer.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [ANIWZCS2Service] C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O16 - DPF: {DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} (HGPlugin10USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab
O23 - Service: ANIWZCSd Service (ANIWZCSdService) - Alpha Networks Inc. - C:\Program Files\ANI\ANIWZCS2 Service\ANIWZCSdS.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\Program Files\Norton SystemWorks\Norton Utilities\NPROTECT.EXE
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~1\SPEEDD~1\nopdb.exe
--
End of file - 4819 bytes
Thank you peku006 for helping me
Looks much better
Open notepad and copy/paste the text in the quotebox below into it:
Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
This will start ComboFix again. After reboot,
Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
- The program will launch and then start to download the latest definition files.
- Once the scanner is installed and the definitions downloaded, click Next.
- Now click on Scan Settings
- In the scan settings make sure that the following are selected:
- Click OK
- Now under select a target to scan select My Computer
- The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
- Now click on the Save as Text button
- Save the file to your desktop.
- Copy and paste that information in your next post.
Note for Internet Explorer 7 users: If at any time you have trouble with the accept button of the licence, click on the Zoom tool located at the right bottom of the IE window and set the zoom to 75 %. Once the license accepted, reset to 100%.o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
So in your next reply, please include the following:
Combofix.txt
Kaspersky Online report
Heres the CF log:
ComboFix 07-11-08.1 - Nick 2007-11-18 5:04:50.8 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.314 [GMT -5:00]
Running from: C:\Documents and Settings\Nick\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Nick\Desktop\CFScript.txt
* Created a new restore point
FILE
C:\Program Files\TTC.dll
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Program Files\TTC.dll
C:\qoobox
C:\qoobox\BackEnv\appdata.folder.dat
C:\qoobox\BackEnv\cache.folder.dat
C:\qoobox\BackEnv\desktop.folder.dat
C:\qoobox\BackEnv\favorites.folder.dat
C:\qoobox\BackEnv\local appdata.folder.dat
C:\qoobox\BackEnv\local settings.folder.dat
C:\qoobox\BackEnv\my pictures.folder.dat
C:\qoobox\BackEnv\personal.folder.dat
C:\qoobox\BackEnv\profiles.folder.dat
C:\qoobox\BackEnv\programs.folder.dat
C:\qoobox\BackEnv\setpath.bat
C:\qoobox\BackEnv\setpath.dat
C:\qoobox\BackEnv\start menu.folder.dat
C:\qoobox\BackEnv\startup.folder.dat
C:\qoobox\BackEnv\templates.folder.dat
C:\qoobox\CFScript_used_2007-11-17@7.43.txt
C:\qoobox\CFScript_used_2007-11-18@5.04.txt
C:\qoobox\ComboFix-quarantined-files.txt
C:\qoobox\Hiv-backup\default
C:\qoobox\Hiv-backup\ERDNT.CON
C:\qoobox\Hiv-backup\ERDNT.EXE
C:\qoobox\Hiv-backup\ERDNT.INF
C:\qoobox\Hiv-backup\ERDNTDOS.LOC
C:\qoobox\Hiv-backup\ERDNTWIN.LOC
C:\qoobox\Hiv-backup\SAM
C:\qoobox\Hiv-backup\SECURITY
C:\qoobox\Hiv-backup\software
C:\qoobox\Hiv-backup\system
C:\qoobox\Hiv-backup\Users\00000001\NTUSER.DAT
C:\qoobox\Hiv-backup\Users\00000002\UsrClass.dat
C:\qoobox\Hiv-backup\Users\00000003\NTUSER.DAT
C:\qoobox\Hiv-backup\Users\00000004\UsrClass.dat
C:\qoobox\Hiv-backup\Users\00000005\NTUSER.DAT
C:\qoobox\Hiv-backup\Users\00000006\UsrClass.dat
C:\qoobox\snapshot@2007-11-17_ 7.49.03.34.dat
C:\qoobox\snapshot@2007-11-17_ 7.49.03.34_B.dat
.
((((((((((((((((((((((((( Files Created from 2007-10-18 to 2007-11-18 )))))))))))))))))))))))))))))))
.
2007-11-17 07:55 <DIR> d
C:\Documents and Settings\Nick\Application Data\Grisoft
2007-11-17 07:55 10,872 --a
C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-11-17 07:54 <DIR> d
C:\Documents and Settings\All Users\Application Data\Grisoft
2007-11-16 07:27 <DIR> d--h
C:\Program Files\InstallJammer Registry
2007-11-15 16:16 51,200 --a
C:\WINDOWS\NirCmd.exe
2007-11-15 15:48 <DIR> d
C:\WINDOWS\ERUNT
2007-11-15 15:30 16,324 --a
C:\WINDOWS\system32\instdump.zip
2007-11-14 15:22 <DIR> d
C:\Program Files\Trend Micro
2007-11-10 12:14 <DIR> d-a
C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-10 12:12 626,688 --a
C:\WINDOWS\system32\msvcr80.dll
2007-11-05 18:27 1,060,864 --a
C:\WINDOWS\system32\mfc71.dll
2007-11-05 18:27 348,160 --a
C:\WINDOWS\system32\msvcr71.dll
2007-11-05 18:27 89,088 --a
C:\WINDOWS\system32\atl71.dll
2007-11-05 18:27 24,064 --a
C:\WINDOWS\system32\msxml3a.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-17 16:31
d
w C:\Program Files\Common Files\Adobe
2007-11-17 14:39
d
w C:\Documents and Settings\Nick\Application Data\mIRC
2007-11-17 14:38
d
w C:\Program Files\mIRC
2007-10-19 12:57
d--h--w C:\Program Files\InstallShield Installation Information
2007-10-12 20:11
d
w C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-12 19:43
d
w C:\Program Files\Common Files\Macrovision Shared
2007-10-04 19:42
d
w C:\Documents and Settings\All Users\Application Data\NexonUS
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.exe" [2004-08-04 00:32]
"MSPY2002"="C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe" [2004-08-04 00:31]
"PHIME2002ASync"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"PHIME2002A"="C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.exe" [2004-08-04 00:32]
"C-Media Mixer"="Mixer.exe" [2002-06-12 02:23 C:\WINDOWS\mixer.exe]
"D-Link AirPlus G"="C:\Program Files\D-Link\AirPlus G\AirGCFG.exe" [2004-11-19 08:15]
"ANIWZCS2Service"="C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe" [2004-10-22 12:42]
"NAV Agent"="C:\PROGRA~1\NORTON~1\NORTON~1\navapw32.exe" [2001-08-16 16:52]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 04:25]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 11:54]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)
R3 NPDriver;Norton Unerase Protection Driver;\??\C:\WINDOWS\system32\Drivers\NPDRIVER.SYS
S3 DADriv1;DADriv1;\??\C:\Nexon\MapleStory\Engine\DAK32.sys
S3 DragonZ1;DragonZ1;\??\C:\Documents and Settings\Nick\Desktop\dragonz\DragonZ.sys
S3 IlvMoneyDRIVER53;IlvMoneyDRIVER53;\??\C:\Documents and Settings\Nick\Desktop\iLove HackPack\iLove HackPack\MoonLight_Engine_1083.3\IlvMoney1083.sys
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 13:24:57 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
"2007-10-12 21:39:50 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
"2007-11-18 08:30:01 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Program Files\RegSweep\RegSweep.exe
"2007-11-18 10:11:43 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-18 05:11:48
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2007-11-18 5:14:38 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-17 07:49
.
--- E O F ---
<html>
<head>
<title>KASPERSKY ONLINE SCANNER REPORT</title>
****** http-equiv='Content-Type' content='text/html; charset=utf-8'>
</head>
<style>
.pagetitle { font-size:20px; color:#FFFFFF; font-family: Arial, Geneva, sans-serif; }
.text { font-size:11px; font-family: Arial, Geneva, sans-serif; }
TD { font-size:11px; font-family: Arial, Geneva, sans-serif; }
</style>
<body>
<table width='100%' height='110' border='0'>
<tr height='30' align='center' bgcolor='#005447'>
<td colspan='2' height='30' class='pagetitle'>
<b>KASPERSKY ONLINE SCANNER REPORT</b>
</td>
</tr>
<tr height='70'>
<td colspan='2' height='70'>
Sunday, November 18, 2007 7:36:20 AM<br>
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)<br>
Kaspersky Online Scanner version: 5.0.98.0<br>
Kaspersky Anti-Virus database last update: 19/11/2007<br>
Kaspersky Anti-Virus database records: 461377<br>
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
</table>
<table width='100%' height='145' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Settings</b></td>
</tr>
<tr height='15'>
<td height='15' width='250'>Scan using the following antivirus database</td>
<td>extended</td>
</tr>
<tr height='15'>
<td height='15'>Scan Archives</td>
<td>true</td>
</tr>
<tr height='15'>
<td height='15'>Scan Mail Bases</td>
<td>true</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Scan Target</b></td>
<td>My Computer</td>
</tr>
<tr height='20'>
<td colspan='2' height='20'>
A:\<br>
C:\<br>
D:\<br>
E:\
</td>
</tr>
<tr height='10'>
<td colspan='2' height='10'>
</td>
</tr>
<tr height='20' bgcolor='#EFEBDE'>
<td colspan='2' height='20'><b>Scan Statistics</b></td>
</tr>
<tr height='15'>
<td height='15'>Total number of scanned objects</td>
<td>71525</td>
</tr>
<tr height='15'>
<td height='15'>Number of viruses found</td>
<td>29</td>
</tr>
<tr height='15'>
<td height='15'>Number of infected objects</td>
<td>112</td>
</tr>
<tr height='15'>
<td height='15'>Number of suspicious objects</td>
<td>6</td>
</tr>
<tr height='15'>
<td height='15'>Duration of the scan process</td>
<td>01:50:37</td>
</tr>
</table>
<br>
<table width='100%' border='0'>
<tr height='20' bgcolor='#EFEBDE'>
<td height='20'><b>Infected Object Name</b></td>
<td width='200'><b>Virus Name</b></td>
<td width='100'><b>Last Action</b></td>
</tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\LocalService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\NetworkService\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Cookies\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Local Settings\History\History.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Local Settings\History\History.IE5\MSHist012007111820071119\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Local Settings\Temp\flaE.tmp </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\index.dat </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\Local Settings\Temporary Internet Files\Content.IE5\MNS1K50T\get_video[1] </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\NTUSER.DAT </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Documents and Settings\Nick\ntuser.dat.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe </td>
<td>Infected: Trojan.Win32.Patched.af </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\D-Link\AirPlus G\AirGCFG.exe </td>
<td>Infected: Trojan.Win32.Patched.af </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\mIRC\mirc.exe </td>
<td>Infected: not-a-virus:Client-IRC.Win32.mIRC.63 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapw32.exe </td>
<td>Infected: Trojan.Win32.Patched.af </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\MountPointManagerRemoteDatabase </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP26\A0186853.exe </td>
<td>Infected: not-a-virus:RiskTool.Win32.Reboot.f </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP32\A0224989.exe </td>
<td>Infected: Trojan-Downloader.Win32.Firu.h </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP35\A0257033.exe/stream/data0001/stream/data0014 </td>
<td>Infected: not-a-virus:Client-IRC.Win32.mIRC.63 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP35\A0257033.exe/stream/data0001/stream </td>
<td>Infected: not-a-virus:Client-IRC.Win32.mIRC.63 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP35\A0257033.exe/stream/data0001 </td>
<td>Infected: not-a-virus:Client-IRC.Win32.mIRC.63 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP35\A0257033.exe/stream </td>
<td>Infected: not-a-virus:Client-IRC.Win32.mIRC.63 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP35\A0257033.exe </td>
<td>NSIS: infected - 4 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0306112.exe </td>
<td>Infected: Trojan-Dropper.Win32.Agent.cgq </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0309087.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.agh </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320087.dll </td>
<td>Infected: Trojan.Win32.BHO.rf </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320101.old </td>
<td>Infected: not-a-virus:FraudTool.Win32.BestSeller.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320104.old </td>
<td>Infected: not-a-virus:FraudTool.Win32.BestSeller.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0320111.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.TTC.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0321040.sys </td>
<td>Infected: not-a-virus:FraudTool.Win32.BestSeller.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0321041.sys </td>
<td>Infected: not-a-virus:FraudTool.Win32.BestSeller.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0321054.exe </td>
<td>Infected: not-a-virus:FraudTool.Win32.BestSeller.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0322100.dll </td>
<td>Infected: Trojan-Downloader.Win32.BHO.bo </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0327302.exe </td>
<td>Infected: Trojan-Downloader.Win32.Firu.h </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0329011.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0329099.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.PurityScan.gl </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0329105.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.gon </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0329106.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.goz </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0358290.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0367290.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374290.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374298.exe </td>
<td>Infected: Trojan-Downloader.Win32.Agent.ezc </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374384.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374393.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.gll </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374394.exe/data0002 </td>
<td>Infected: not-a-virus:AdWare.Win32.TTC.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374394.exe </td>
<td>NSIS: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374399.exe </td>
<td>Infected: Trojan-Downloader.Win32.Agent.ezc </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP39\A0374405.dll </td>
<td>Infected: not-virus:Hoax.Win32.Renos.lq </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375421.exe </td>
<td>Infected: Trojan.Win32.Agent.bck </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375422.exe </td>
<td>Infected: Trojan.Win32.Agent.bck </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375423.exe </td>
<td>Infected: Trojan.Win32.Agent.bck </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375424.exe </td>
<td>Infected: Trojan.Win32.Agent.bck </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375425.exe </td>
<td>Infected: Trojan.Win32.Agent.bck </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375426.exe </td>
<td>Infected: Trojan.Win32.Agent.bck </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375436.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aqn </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP40\A0375439.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376439.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376569.exe </td>
<td>Infected: Trojan-Downloader.Win32.Agent.ezc </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376572.EXE/data0002 </td>
<td>Infected: not-a-virus:AdWare.Win32.TTC.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376572.EXE </td>
<td>NSIS: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376582.dll </td>
<td>Infected: not-virus:Hoax.Win32.Renos.lq </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0376584.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.gll </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0380439.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0381391.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP41\A0382100.exe </td>
<td>Infected: Trojan-Downloader.Win32.VB.bsp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP42\A0383731.EXE </td>
<td>Suspicious: Packed.Win32.CryptExe </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384429.exe </td>
<td>Infected: Trojan-Downloader.Win32.VB.bto </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384430.exe </td>
<td>Infected: not-a-virus:AdWare.Win32.TTC.c </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384433.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384434.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.BHO.gw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384435.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384436.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384437.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384438.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384439.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384440.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384442.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384444.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384445.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384446.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384448.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384449.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384450.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384451.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384452.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.ahr </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384453.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aju </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384455.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384456.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384457.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384460.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.BHO.gw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384461.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384462.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384463.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aqr </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384464.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384465.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384466.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384467.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384468.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384469.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384471.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384472.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384473.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.BHO.gw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384474.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384475.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384477.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384478.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384479.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384480.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384481.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384482.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384484.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384485.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384486.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384487.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aju </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384488.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384489.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0384490.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0385488.exe </td>
<td>Infected: not-a-virus:RiskTool.Win32.Reboot.f </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0385942.exe </td>
<td>Suspicious: Packed.Win32.CryptExe </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP44\A0385946.exe </td>
<td>Suspicious: Packed.Win32.CryptExe </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387419.exe </td>
<td>Infected: Trojan-Downloader.Win32.Small.gll </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387420.exe/data0002 </td>
<td>Infected: not-a-virus:AdWare.Win32.TTC.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387420.exe </td>
<td>NSIS: infected - 1 </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387421.exe </td>
<td>Infected: Trojan.Win32.Obfuscated.kp </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387422.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.Virtumonde.aps </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0387423.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.BHO.gw </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0393917.EXE </td>
<td>Suspicious: Packed.Win32.CryptExe </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0393921.exe </td>
<td>Suspicious: Packed.Win32.CryptExe </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP45\A0393925.EXE </td>
<td>Suspicious: Packed.Win32.CryptExe </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP46\A0393931.dll </td>
<td>Infected: not-a-virus:AdWare.Win32.TTC.a </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\System Volume Information\_restore{912EBDD2-2840-4C0F-8864-F83BC47423CC}\RP46\change.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\Debug\PASSWD.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SchedLgU.Txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\SoftwareDistribution\ReportingEvents.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\edb.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\CatRoot2\tmp.edb </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\AppEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\default.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SAM.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SecEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SECURITY.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\software.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\SysEvent.Evt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\config\system.LOG </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\h323log.txt </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td height='20'>C:\WINDOWS\WindowsUpdate.log </td>
<td>Object is locked </td>
<td>skipped </td>
</tr>
<tr><td colspan='3' height='1' bgcolor='#EFEBDE'></td></tr>
<tr height='20'>
<td colspan='3' height='20'><b>Scan process completed.</b></td>
</tr>
</table>
</body>
</html>
i dunno why its like this
Logs, looks good but let's run one online scan to be sure:
Run Eset NOD32 Online AntiVirus
Note: You will need to use Internet Explorer for this scan.
# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=2673 (20071120)
# vers_arch_module=1.059 (20071108)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=f6c23f123ee7fa4788a44dee2bb5b51c
# end=finished
# remove_checked=false
# unwanted_checked=true
# utc_time=2007-11-20 09:07:01
# local_time=2007-11-20 04:07:01 (-0500, Eastern Standard Time)
# country="Canada"
# osver=5.1.2600 NT Service Pack 2
# scanned=66910
# found=3
# scan_time=2109
C:\Program Files\ANI\ANIWZCS2 Service\WZCSLDR2.exe Win32/Agent.AB virus 00000000000000000000000000000000
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe Win32/Agent.AB virus 00000000000000000000000000000000
C:\Program Files\Norton SystemWorks\Norton AntiVirus\navapw32.exe Win32/Agent.AB virus 00000000000000000000000000000000
Download WinPFind3U.exe to your Desktop and double-click on it to extract the files.
It will create a folder named WinPFind3u on your desktop.
Close ALL OTHER PROGRAMS.
Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
Change settings Under Files/Folders Created Within
* Click on 60 days
Change settings Under Files/Folders Modified Within
* Click on 60 days
Next on the right side of screen Under Additional Scans
* Put a checkmark in the box next to Reg-ControlSets
* Put a checkmark in the box next to Reg-File Associations
* Put a checkmark in the box next to Reg-Security Settings
Now click the Run Scan button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in.
If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
WinPFind3U by OldTimer - Version 1.0.43 Folder = C:\Documents and Settings\Nick\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 6.0.2900.2180)
511.48 Mb Total Physical Memory | 250.30 Mb Available Physical Memory | 48.94% Memory free
3.59 Gb Paging File | 3.36 Gb Available in Paging File | 93.45% Paging File free
Paging file location(s): C:\pagefile.sys 3200 3972;
%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 149.04 Gb Total Space | 125.38 Gb Free Space | 84.13% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
Computer Name: PC
Current User Name: Nick
Logged in as Administrator.
Current Boot Mode: Normal
[Processes - Non-Microsoft Only]
airgcfg.exe -> %ProgramFiles%\D-Link\AirPlus G\AirGCFG.exe -> D-Link [Ver = 3, 3, 0, 41119 | Size = 1224704 bytes | Modified Date = 19/11/2004 8:15:10 AM | Attr = ]
avgas.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 11/06/2007 4:25:42 AM | Attr = ]
guard.exe -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 30/05/2007 7:31:10 AM | Attr = ]
mixer.exe -> %SystemRoot%\mixer.exe -> C-Media Electronic Inc. (www.cmedia.com.tw) [Ver = 1.53 | Size = 1495040 bytes | Modified Date = 12/06/2002 2:23:54 AM | Attr = ]
navapsvc.exe -> %ProgramFiles%\Norton SystemWorks\Norton AntiVirus\Navapsvc.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 115792 bytes | Modified Date = 16/08/2001 5:16:12 PM | Attr = ]
navapw32.exe -> %ProgramFiles%\Norton SystemWorks\Norton AntiVirus\navapw32.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 83024 bytes | Modified Date = 16/08/2001 4:52:42 PM | Attr = ]
nopdb.exe -> %ProgramFiles%\Norton SystemWorks\Speed Disk\NOPDB.EXE -> Symantec Corporation [Ver = 6.0.0.20 | Size = 176161 bytes | Modified Date = 09/08/2001 5:00:00 AM | Attr = ]
nprotect.exe -> %ProgramFiles%\Norton SystemWorks\Norton Utilities\NPROTECT.EXE -> Symantec Corporation [Ver = 15.0.0.20 | Size = 135168 bytes | Modified Date = 10/08/2001 5:00:00 AM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.43.0 | Size = 371200 bytes | Modified Date = 18/11/2007 4:22:40 PM | Attr = ]
wzcsldr2.exe -> %ProgramFiles%\ANI\ANIWZCS2 Service\WZCSLDR2.exe -> Alpha Networks Inc. [Ver = 1, 0, 4, 40414 | Size = 53248 bytes | Modified Date = 22/10/2004 12:42:44 PM | Attr = ]
[Win32 Services - Non-Microsoft Only]
(ANIWZCSdService) ANIWZCSd Service [Win32_Shared | Auto | Stopped] -> %ProgramFiles%\ANI\ANIWZCS2 Service\ANIWZCSdS.exe -> Alpha Networks Inc. [Ver = 1, 0, 1, 30507 | Size = 49152 bytes | Modified Date = 22/10/2004 12:42:44 PM | Attr = ]
(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\guard.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 22 | Size = 312880 bytes | Modified Date = 30/05/2007 7:31:10 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 04/08/2004 2:56:50 AM | Attr = ]
(FLEXnet Licensing Service) FLEXnet Licensing Service [Win32_Own | On_Demand | Stopped] -> %CommonProgramFiles%\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -> Macrovision Europe Ltd. [Ver = 11.03.005 | Size = 654848 bytes | Modified Date = 12/10/2007 2:43:06 PM | Attr = ]
(navapsvc) Norton AntiVirus Auto Protect Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton SystemWorks\Norton AntiVirus\Navapsvc.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 115792 bytes | Modified Date = 16/08/2001 5:16:12 PM | Attr = ]
(NProtectService) Norton Unerase Protection [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton SystemWorks\Norton Utilities\NPROTECT.EXE -> Symantec Corporation [Ver = 15.0.0.20 | Size = 135168 bytes | Modified Date = 10/08/2001 5:00:00 AM | Attr = ]
(SBService) ScriptBlocking Service [Win32_Own | Auto | Stopped] -> %CommonProgramFiles%\Symantec Shared\Script Blocking\SBServ.exe -> Symantec Corporation [Ver = 1, 1, 0, 126 | Size = 54408 bytes | Modified Date = 13/08/2001 10:18:36 PM | Attr = ]
(Speed Disk service) Speed Disk service [Win32_Own | Auto | Running] -> %ProgramFiles%\Norton SystemWorks\Speed Disk\NOPDB.EXE -> Symantec Corporation [Ver = 6.0.0.20 | Size = 176161 bytes | Modified Date = 09/08/2001 5:00:00 AM | Attr = ]
[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
!AVG Anti-Spyware -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\avgas.exe -> GRISOFT s.r.o. [Ver = 7, 5, 1, 43 | Size = 6731312 bytes | Modified Date = 11/06/2007 4:25:42 AM | Attr = ]
ANIWZCS2Service -> %ProgramFiles%\ANI\ANIWZCS2 Service\WZCSLDR2.exe -> Alpha Networks Inc. [Ver = 1, 0, 4, 40414 | Size = 53248 bytes | Modified Date = 22/10/2004 12:42:44 PM | Attr = ]
C-Media Mixer -> %SystemRoot%\mixer.exe -> C-Media Electronic Inc. (www.cmedia.com.tw) [Ver = 1.53 | Size = 1495040 bytes | Modified Date = 12/06/2002 2:23:54 AM | Attr = ]
D-Link AirPlus G -> %ProgramFiles%\D-Link\AirPlus G\AirGCFG.exe -> D-Link [Ver = 3, 3, 0, 41119 | Size = 1224704 bytes | Modified Date = 19/11/2004 8:15:10 AM | Attr = ]
MSPY2002 -> %System32%\IME\PINTLGNT\IMSCINST.EXE -> [Ver = | Size = 59392 bytes | Modified Date = 04/08/2004 12:31:50 AM | Attr = ]
NAV Agent -> %ProgramFiles%\Norton SystemWorks\Norton AntiVirus\navapw32.exe -> Symantec Corporation [Ver = 8.00.58 | Size = 83024 bytes | Modified Date = 16/08/2001 4:52:42 PM | Attr = ]
< ShellExecuteHooks [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks ->
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} [HKLM] -> %ProgramFiles%\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll [AVG Anti-Spyware 7.5] -> GRISOFT s.r.o. [Ver = 7, 5, 1, 36 | Size = 79408 bytes | Modified Date = 30/05/2007 7:29:58 AM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System\\DisableRegistryTools -> 0 ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome ->
HKLM: Main\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Local Page -> C:\windows\system32\blank.htm ->
HKLM: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: Start Page -> http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home ->
HKLM: CustomizeSearch -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm ->
HKLM: Search\\Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKLM: SearchAssistant -> http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm ->
HKCU: Default_Search_URL -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Local Page -> C:\windows\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch ->
HKCU: Start Page -> http://yahoo.com/ ->
HKCU: ProxyEnable -> 0 ->
HKCU: ProxyOverride -> *.local ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
click_getmirar.com [https] -> ->
click_mirarsearch.com [https] -> ->
redirect_mirarsearch.com [https] -> ->
msn.com [ - ] -> ->
awbeta_net-nucleus.com [https] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{BDF3E430-B101-42AD-A544-FADC6B084872} [HKLM] -> %ProgramFiles%\Norton SystemWorks\Norton AntiVirus\NAVShExt.dll [CNavExtBho Class] -> Symantec Corporation [Ver = 8.00.58 | Size = 102400 bytes | Modified Date = 16/08/2001 3:35:10 PM | Attr = ]
< Internet Explorer ToolBars [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar ->
{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton SystemWorks\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 8.00.58 | Size = 102400 bytes | Modified Date = 16/08/2001 3:35:10 PM | Attr = ]
< Internet Explorer ToolBars [HKCU] > -> HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\ ->
WebBrowser\\{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} [HKLM] -> %ProgramFiles%\Norton SystemWorks\Norton AntiVirus\NAVShExt.dll [Norton AntiVirus] -> Symantec Corporation [Ver = 8.00.58 | Size = 102400 bytes | Modified Date = 16/08/2001 3:35:10 PM | Attr = ]
WebBrowser\\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} [HKLM] -> Reg Data - Key not found [Reg Data - Key not found] -> File not found
< User Agent Post Platform [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform ->
SV1 -> ->
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{43DA43CE-33BC-4101-B66A-9A61DEB3FF9C} -> (D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2)) ->
{6013B2D2-B0E7-4DDF-89F2-E7EADFE88DDF} -> (D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2)) ->
{610B1665-BD37-4571-9E01-D685CF55FD23} -> (D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2)) ->
{911AD1F8-2BE7-4817-86D2-B667F0C87355} -> (D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2)) ->
{ADCFC62C-1C93-4990-9884-BC59CF2B2752} -> (D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2)) ->
{D4E81A21-1D87-4F40-B300-0F11B6E82E5A} -> (VIA Compatable Fast Ethernet Adapter) ->
{E9788ECE-4A5A-4C2A-825D-9A6D8F63D892} -> (D-Link AirPlus G DWL-G122 Wireless USB Adapter(rev.A2)) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} -> CKAVWebScan Object - CodeBase = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab ->
{166B1BCA-3F9C-11CF-8075-444553540000} -> Shockwave ActiveX Control - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://go.microsoft.com/fwlink/?linkid=39204 ->
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -> - CodeBase = http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.3.2.100.cab ->
{56762DEC-6B0D-4AB4-A8AD-989993B5D08B} -> OnlineScanner Control - CodeBase = http://www.eset.eu/buxus/docs/OnlineScanner.cab ->
{5F5F9FB8-878E-4455-95E0-F64B2314288A} -> ijjiPlugin2 Class - CodeBase = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab ->
{67DABFBF-D0AB-41FA-9C46-CC0F21721616} -> - CodeBase = http://go.divx.com/plugin/DivXBrowserPlugin.cab ->
{CD995117-98E5-4169-9920-6C12D4C0B548} -> HGPlugin9USA Class - CodeBase = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab ->
{D27CDB6E-AE6D-11CF-96B8-444553540000} -> - CodeBase = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab ->
{DD583921-A9E9-4FBF-9266-8DC2AB5EA0AF} -> HGPlugin10USA Class - CodeBase = http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin10USA.cab ->
[Registry - Additional Scans - Non-Microsoft Only]
< ControlSets > -> ->
HKEY_LOCAL_MACHINE\SYSTEM\Select\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\Select\\Current -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\Select\\Default -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\Select\\Failed -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\Select\\LastKnownGood -> 3 ->
< File Associations - Select to Repair > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\ ->
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.chm [@ = chm.file] -> PersistentHandler = Reg Data - Key not found ->
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb} ->
.hlp [@ = hlpfile] -> PersistentHandler = Reg Data - Key not found ->
.hta [@ = htafile] -> PersistentHandler = Reg Data - Key not found ->
.html [@ = FirefoxHTML] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20} ->
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found ->
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found ->
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found ->
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found ->
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb} ->
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found ->
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found ->
< Security Settings > -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\UpdatesDisableNotify -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\AntiVirusOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\\FirewallOverride -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Start -> 3 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ImagePath -> %SystemRoot%\system32\svchost.exe -k netsvcs ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DisplayName -> Background Intelligent Transfer Service ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnService -> RpcSs; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\Description -> Transfers data between clients and servers in the background. If BITS is disabled, features such as Windows Update will not work correctly. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\\FailureActions ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Parameters\\ServiceDll -> C:\WINDOWS\system32\qmgr.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Security\\Security ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\0 -> Root\LEGACY_BITS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BITS\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnGroup -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DependOnService -> Netman;WinMgmt; ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Description -> Provides network address translation, addressing, name resolution and/or intrusion prevention services for a home or small office network. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\DisplayName -> Windows Firewall/Internet Connection Sharing (ICS) ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ImagePath -> %SystemRoot%\System32\svchost.exe -k netsvcs ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch\\Epoch -> 6402 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\\ServiceDll -> %SystemRoot%\System32\ipnathlp.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\EnableFirewall -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DoNotAllowExceptions -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\\DisableNotifications -> 0 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\mIRC\mirc.exe -> C:\Program Files\mIRC\mirc.exe:*:Enabled:mIRC ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Nexon\MapleStory\MapleStory.exe -> C:\Nexon\MapleStory\MapleStory.exe:*:Disabled:MapleStory ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\\C:\Program Files\MSN Messenger\msnmsgr.exe -> C:\Program Files\MSN Messenger\msnmsgr.exe:*:Enabled:Messenger ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\139:TCP -> 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\445:TCP -> 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\137:UDP -> 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\138:UDP -> 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\1900:UDP -> 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\\2869:TCP -> 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\\ServiceUpgrade -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Setup\InterfacesUnfirewalledAtUpdate\\All -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\0 -> Root\LEGACY_SHAREDACCESS\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Enum\\NextInstance -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Type -> 32 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Start -> 2 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ErrorControl -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ImagePath -> %systemroot%\system32\svchost.exe -k netsvcs ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\DisplayName -> Automatic Updates ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\ObjectName -> LocalSystem ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\\Description -> Enables the download and installation of Windows updates. If this service is disabled, this computer will not be able to use the Automatic Updates feature or the Windows Update Web site. ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Parameters\\ServiceDll -> C:\WINDOWS\system32\wuauserv.dll ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Security\\Security ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\ -> ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\0 -> Root\LEGACY_WUAUSERV\0000 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\Count -> 1 ->
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\Enum\\NextInstance -> 1 ->
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Created Date = 17/11/2007 10:57:51 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536399872 bytes | Created Date = 01/01/1601 5:00:00 AM | Attr = HS]
Nexon -> %SystemDrive%\Nexon -> [Folder | Created Date = 04/10/2007 2:40:12 PM | Attr = ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Created Date = 18/11/2007 5:09:24 AM | Attr = ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Created Date = 23/09/2007 9:17:00 AM | Attr = H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Created Date = 23/09/2007 12:02:47 PM | Attr = H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Created Date = 23/09/2007 9:17:00 AM | Attr = H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Created Date = 23/09/2007 12:02:47 PM | Attr = H ]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Created Date = 15/11/2007 4:16:45 PM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 15/11/2007 4:29:22 PM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Created Date = 15/11/2007 3:48:07 PM | Attr = ]
msettings.ini -> %SystemRoot%\msettings.ini -> [Ver = | Size = 21227 bytes | Created Date = 10/11/2007 5:36:50 PM | Attr = ]
NirCmd.exe -> %SystemRoot%\NirCmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 15/11/2007 4:16:45 PM | Attr = ]
TEMP -> %SystemRoot%\TEMP -> [Folder | Created Date = 18/11/2007 5:14:47 AM | Attr = ]
bbesokwu.ini -> %System32%\bbesokwu.ini -> [Ver = | Size = 982511 bytes | Created Date = 15/11/2007 4:53:20 AM | Attr = HS]
cqnpvvcu.ini -> %System32%\cqnpvvcu.ini -> [Ver = | Size = 678100 bytes | Created Date = 16/11/2007 9:41:26 PM | Attr = HS]
dbkyxrru.ini -> %System32%\dbkyxrru.ini -> [Ver = | Size = 537469 bytes | Created Date = 04/11/2007 9:49:26 AM | Attr = HS]
ddnktgfk.ini -> %System32%\ddnktgfk.ini -> [Ver = | Size = 967822 bytes | Created Date = 16/11/2007 3:20:40 AM | Attr = HS]
dqvrovni.ini -> %System32%\dqvrovni.ini -> [Ver = | Size = 585214 bytes | Created Date = 10/11/2007 5:24:08 PM | Attr = HS]
dsfkxbxm.ini -> %System32%\dsfkxbxm.ini -> [Ver = | Size = 579438 bytes | Created Date = 31/10/2007 3:21:39 PM | Attr = HS]
dwfokvjc.ini -> %System32%\dwfokvjc.ini -> [Ver = | Size = 677980 bytes | Created Date = 16/11/2007 5:50:54 AM | Attr = HS]
ecxebjmi.ini -> %System32%\ecxebjmi.ini -> [Ver = | Size = 585436 bytes | Created Date = 11/11/2007 2:12:04 PM | Attr = HS]
gkiuqspp.ini -> %System32%\gkiuqspp.ini -> [Ver = | Size = 1225292 bytes | Created Date = 15/11/2007 4:04:21 PM | Attr = HS]
hcfdpjnr.ini -> %System32%\hcfdpjnr.ini -> [Ver = | Size = 583166 bytes | Created Date = 12/11/2007 9:37:08 AM | Attr = HS]
hhovrsxq.ini -> %System32%\hhovrsxq.ini -> [Ver = | Size = 585316 bytes | Created Date = 11/11/2007 10:51:23 AM | Attr = HS]
instdump.dmp -> %System32%\instdump.dmp -> [Ver = | Size = 86857 bytes | Created Date = 15/11/2007 3:30:33 PM | Attr = ]
instdump.zip -> %System32%\instdump.zip -> [Ver = | Size = 16324 bytes | Created Date = 15/11/2007 3:30:35 PM | Attr = ]
itlhywbg.ini -> %System32%\itlhywbg.ini -> [Ver = | Size = 584836 bytes | Created Date = 10/11/2007 12:26:33 PM | Attr = HS]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Created Date = 18/11/2007 5:17:51 AM | Attr = ]
kxbkryvr.ini -> %System32%\kxbkryvr.ini -> [Ver = | Size = 585616 bytes | Created Date = 11/11/2007 5:30:15 PM | Attr = HS]
leatiraq.ini -> %System32%\leatiraq.ini -> [Ver = | Size = 671187 bytes | Created Date = 14/11/2007 3:20:23 PM | Attr = HS]
lotlaluc.ini -> %System32%\lotlaluc.ini -> [Ver = | Size = 590836 bytes | Created Date = 12/11/2007 10:28:50 AM | Attr = HS]
lpbhfxyk.ini -> %System32%\lpbhfxyk.ini -> [Ver = | Size = 591196 bytes | Created Date = 12/11/2007 8:07:43 PM | Attr = HS]
lxbrhfps.ini -> %System32%\lxbrhfps.ini -> [Ver = | Size = 584596 bytes | Created Date = 09/11/2007 3:24:58 PM | Attr = HS]
lycwdiyd.ini -> %System32%\lycwdiyd.ini -> [Ver = | Size = 584965 bytes | Created Date = 10/11/2007 12:42:37 PM | Attr = HS]
mbpnebfm.ini -> %System32%\mbpnebfm.ini -> [Ver = | Size = 585076 bytes | Created Date = 10/11/2007 2:34:33 PM | Attr = HS]
mqufbcvp.ini -> %System32%\mqufbcvp.ini -> [Ver = | Size = 669740 bytes | Created Date = 15/11/2007 3:21:18 PM | Attr = HS]
nwkhsxrc.ini -> %System32%\nwkhsxrc.ini -> [Ver = | Size = 669053 bytes | Created Date = 13/11/2007 3:21:24 PM | Attr = HS]
oucyvwav.ini -> %System32%\oucyvwav.ini -> [Ver = | Size = 591136 bytes | Created Date = 12/11/2007 12:43:52 PM | Attr = HS]
pjeqpwsh.ini -> %System32%\pjeqpwsh.ini -> [Ver = | Size = 590956 bytes | Created Date = 12/11/2007 12:09:42 PM | Attr = HS]
qqjpftxi.ini -> %System32%\qqjpftxi.ini -> [Ver = | Size = 669113 bytes | Created Date = 13/11/2007 6:17:28 PM | Attr = HS]
rlpfkqto.ini -> %System32%\rlpfkqto.ini -> [Ver = | Size = 478974 bytes | Created Date = 07/11/2007 8:30:04 PM | Attr = HS]
rlpfkqto.tmp -> %System32%\rlpfkqto.tmp -> [Ver = | Size = 478974 bytes | Created Date = 07/11/2007 9:09:21 PM | Attr = ]
rnwrakxr.ini -> %System32%\rnwrakxr.ini -> [Ver = | Size = 487610 bytes | Created Date = 05/11/2007 5:01:00 PM | Attr = HS]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Created Date = 16/11/2007 9:48:33 PM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 16/11/2007 9:48:33 PM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 16/11/2007 9:48:33 PM | Attr = ]
syvnivnd.ini -> %System32%\syvnivnd.ini -> [Ver = | Size = 549891 bytes | Created Date = 01/11/2007 2:22:50 PM | Attr = HS]
tgbbnlro.ini -> %System32%\tgbbnlro.ini -> [Ver = | Size = 577678 bytes | Created Date = 30/10/2007 3:23:47 PM | Attr = HS]
tgscbiwy.ini -> %System32%\tgscbiwy.ini -> [Ver = | Size = 671187 bytes | Created Date = 14/11/2007 5:21:47 PM | Attr = HS]
tmirbebl.ini -> %System32%\tmirbebl.ini -> [Ver = | Size = 585616 bytes | Created Date = 11/11/2007 3:16:30 PM | Attr = HS]
twosksuk.ini -> %System32%\twosksuk.ini -> [Ver = | Size = 590716 bytes | Created Date = 12/11/2007 10:04:01 AM | Attr = HS]
upmyttrs.ini -> %System32%\upmyttrs.ini -> [Ver = | Size = 584476 bytes | Created Date = 08/11/2007 3:17:14 PM | Attr = HS]
urcopqvc.ini -> %System32%\urcopqvc.ini -> [Ver = | Size = 584545 bytes | Created Date = 11/11/2007 6:06:16 PM | Attr = HS]
vboglmqe.ini -> %System32%\vboglmqe.ini -> [Ver = | Size = 671247 bytes | Created Date = 14/11/2007 3:40:54 PM | Attr = HS]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 15/11/2007 4:16:43 PM | Attr = ]
vuctgigm.ini -> %System32%\vuctgigm.ini -> [Ver = | Size = 540084 bytes | Created Date = 02/11/2007 3:21:06 PM | Attr = HS]
wkdjtltq.ini -> %System32%\wkdjtltq.ini -> [Ver = | Size = 478854 bytes | Created Date = 07/11/2007 7:52:19 PM | Attr = HS]
xvxrwwdk.ini -> %System32%\xvxrwwdk.ini -> [Ver = | Size = 671316 bytes | Created Date = 14/11/2007 8:15:24 PM | Attr = HS]
yktmqmln.ini -> %System32%\yktmqmln.ini -> [Ver = | Size = 668993 bytes | Created Date = 13/11/2007 7:58:06 PM | Attr = HS]
yrxytved.ini -> %System32%\yrxytved.ini -> [Ver = | Size = 678040 bytes | Created Date = 16/11/2007 5:50:56 AM | Attr = HS]
yvsmwyap.ini -> %System32%\yvsmwyap.ini -> [Ver = | Size = 584743 bytes | Created Date = 10/11/2007 9:33:14 AM | Attr = HS]
AvgAsCln.sys -> %System32%\drivers\AvgAsCln.sys -> GRISOFT, s.r.o. [Ver = 1.0.0.14 | Size = 10872 bytes | Created Date = 17/11/2007 7:55:00 AM | Attr = ]
[Files/Folders - Modified Within 60 days]
Config.Msi -> %SystemDrive%\Config.Msi -> [Folder | Modified Date = 18/11/2007 1:13:08 AM | Attr = HS]
hiberfil.sys -> %SystemDrive%\hiberfil.sys -> [Ver = | Size = 536399872 bytes | Modified Date = 21/11/2007 3:54:00 AM | Attr = HS]
Nexon -> %SystemDrive%\Nexon -> [Folder | Modified Date = 27/10/2007 6:09:58 PM | Attr = ]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 19/11/2007 3:24:18 AM | Attr = R ]
qoobox -> %SystemDrive%\qoobox -> [Folder | Modified Date = 18/11/2007 5:14:42 AM | Attr = ]
sqmdata00.sqm -> %SystemDrive%\sqmdata00.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/11/2007 5:16:40 PM | Attr = H ]
sqmdata01.sqm -> %SystemDrive%\sqmdata01.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/11/2007 8:13:20 PM | Attr = H ]
sqmdata02.sqm -> %SystemDrive%\sqmdata02.sqm -> [Ver = | Size = 268 bytes | Modified Date = 15/11/2007 3:17:38 PM | Attr = H ]
sqmdata03.sqm -> %SystemDrive%\sqmdata03.sqm -> [Ver = | Size = 268 bytes | Modified Date = 15/11/2007 4:03:26 PM | Attr = H ]
sqmdata04.sqm -> %SystemDrive%\sqmdata04.sqm -> [Ver = | Size = 268 bytes | Modified Date = 15/11/2007 4:34:08 PM | Attr = H ]
sqmdata05.sqm -> %SystemDrive%\sqmdata05.sqm -> [Ver = | Size = 268 bytes | Modified Date = 15/11/2007 7:13:04 PM | Attr = H ]
sqmdata06.sqm -> %SystemDrive%\sqmdata06.sqm -> [Ver = | Size = 268 bytes | Modified Date = 16/11/2007 3:14:32 AM | Attr = H ]
sqmdata07.sqm -> %SystemDrive%\sqmdata07.sqm -> [Ver = | Size = 268 bytes | Modified Date = 16/11/2007 5:20:36 AM | Attr = H ]
sqmdata08.sqm -> %SystemDrive%\sqmdata08.sqm -> [Ver = | Size = 268 bytes | Modified Date = 16/11/2007 5:41:40 AM | Attr = H ]
sqmdata09.sqm -> %SystemDrive%\sqmdata09.sqm -> [Ver = | Size = 268 bytes | Modified Date = 16/11/2007 6:21:18 AM | Attr = H ]
sqmdata10.sqm -> %SystemDrive%\sqmdata10.sqm -> [Ver = | Size = 268 bytes | Modified Date = 16/11/2007 7:26:16 AM | Attr = H ]
sqmdata11.sqm -> %SystemDrive%\sqmdata11.sqm -> [Ver = | Size = 268 bytes | Modified Date = 16/11/2007 9:38:54 PM | Attr = H ]
sqmdata12.sqm -> %SystemDrive%\sqmdata12.sqm -> [Ver = | Size = 268 bytes | Modified Date = 17/11/2007 12:57:50 AM | Attr = H ]
sqmdata13.sqm -> %SystemDrive%\sqmdata13.sqm -> [Ver = | Size = 268 bytes | Modified Date = 12/11/2007 5:07:20 PM | Attr = H ]
sqmdata14.sqm -> %SystemDrive%\sqmdata14.sqm -> [Ver = | Size = 268 bytes | Modified Date = 12/11/2007 8:02:14 PM | Attr = H ]
sqmdata15.sqm -> %SystemDrive%\sqmdata15.sqm -> [Ver = | Size = 268 bytes | Modified Date = 13/11/2007 3:15:30 PM | Attr = H ]
sqmdata16.sqm -> %SystemDrive%\sqmdata16.sqm -> [Ver = | Size = 268 bytes | Modified Date = 13/11/2007 6:12:26 PM | Attr = H ]
sqmdata17.sqm -> %SystemDrive%\sqmdata17.sqm -> [Ver = | Size = 268 bytes | Modified Date = 13/11/2007 7:50:40 PM | Attr = H ]
sqmdata18.sqm -> %SystemDrive%\sqmdata18.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/11/2007 3:18:02 PM | Attr = H ]
sqmdata19.sqm -> %SystemDrive%\sqmdata19.sqm -> [Ver = | Size = 268 bytes | Modified Date = 14/11/2007 3:38:52 PM | Attr = H ]
sqmnoopt00.sqm -> %SystemDrive%\sqmnoopt00.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/11/2007 5:16:40 PM | Attr = H ]
sqmnoopt01.sqm -> %SystemDrive%\sqmnoopt01.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/11/2007 8:13:20 PM | Attr = H ]
sqmnoopt02.sqm -> %SystemDrive%\sqmnoopt02.sqm -> [Ver = | Size = 244 bytes | Modified Date = 15/11/2007 3:17:38 PM | Attr = H ]
sqmnoopt03.sqm -> %SystemDrive%\sqmnoopt03.sqm -> [Ver = | Size = 244 bytes | Modified Date = 15/11/2007 4:03:26 PM | Attr = H ]
sqmnoopt04.sqm -> %SystemDrive%\sqmnoopt04.sqm -> [Ver = | Size = 244 bytes | Modified Date = 15/11/2007 4:34:08 PM | Attr = H ]
sqmnoopt05.sqm -> %SystemDrive%\sqmnoopt05.sqm -> [Ver = | Size = 244 bytes | Modified Date = 15/11/2007 7:13:04 PM | Attr = H ]
sqmnoopt06.sqm -> %SystemDrive%\sqmnoopt06.sqm -> [Ver = | Size = 244 bytes | Modified Date = 16/11/2007 3:14:32 AM | Attr = H ]
sqmnoopt07.sqm -> %SystemDrive%\sqmnoopt07.sqm -> [Ver = | Size = 244 bytes | Modified Date = 16/11/2007 5:20:36 AM | Attr = H ]
sqmnoopt08.sqm -> %SystemDrive%\sqmnoopt08.sqm -> [Ver = | Size = 244 bytes | Modified Date = 16/11/2007 5:41:40 AM | Attr = H ]
sqmnoopt09.sqm -> %SystemDrive%\sqmnoopt09.sqm -> [Ver = | Size = 244 bytes | Modified Date = 16/11/2007 6:21:16 AM | Attr = H ]
sqmnoopt10.sqm -> %SystemDrive%\sqmnoopt10.sqm -> [Ver = | Size = 244 bytes | Modified Date = 16/11/2007 7:26:16 AM | Attr = H ]
sqmnoopt11.sqm -> %SystemDrive%\sqmnoopt11.sqm -> [Ver = | Size = 244 bytes | Modified Date = 16/11/2007 9:38:54 PM | Attr = H ]
sqmnoopt12.sqm -> %SystemDrive%\sqmnoopt12.sqm -> [Ver = | Size = 244 bytes | Modified Date = 17/11/2007 12:57:48 AM | Attr = H ]
sqmnoopt13.sqm -> %SystemDrive%\sqmnoopt13.sqm -> [Ver = | Size = 244 bytes | Modified Date = 12/11/2007 5:07:20 PM | Attr = H ]
sqmnoopt14.sqm -> %SystemDrive%\sqmnoopt14.sqm -> [Ver = | Size = 244 bytes | Modified Date = 12/11/2007 8:02:14 PM | Attr = H ]
sqmnoopt15.sqm -> %SystemDrive%\sqmnoopt15.sqm -> [Ver = | Size = 244 bytes | Modified Date = 13/11/2007 3:15:30 PM | Attr = H ]
sqmnoopt16.sqm -> %SystemDrive%\sqmnoopt16.sqm -> [Ver = | Size = 244 bytes | Modified Date = 13/11/2007 6:12:26 PM | Attr = H ]
sqmnoopt17.sqm -> %SystemDrive%\sqmnoopt17.sqm -> [Ver = | Size = 244 bytes | Modified Date = 13/11/2007 7:50:40 PM | Attr = H ]
sqmnoopt18.sqm -> %SystemDrive%\sqmnoopt18.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/11/2007 3:18:02 PM | Attr = H ]
sqmnoopt19.sqm -> %SystemDrive%\sqmnoopt19.sqm -> [Ver = | Size = 244 bytes | Modified Date = 14/11/2007 3:38:52 PM | Attr = H ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 20/11/2007 5:10:16 AM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 21/11/2007 3:54:02 AM | Attr = S]
catchme.exe -> %SystemRoot%\catchme.exe -> [Ver = | Size = 136192 bytes | Modified Date = 29/10/2007 6:56:20 PM | Attr = ]
Downloaded Program Files -> %SystemRoot%\Downloaded Program Files -> [Folder | Modified Date = 20/11/2007 3:31:34 AM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 17/11/2007 7:46:40 AM | Attr = ]
ERUNT -> %SystemRoot%\ERUNT -> [Folder | Modified Date = 15/11/2007 3:48:20 PM | Attr = ]
Fonts -> %SystemRoot%\Fonts -> [Folder | Modified Date = 12/10/2007 2:58:40 PM | Attr = R S]
GunzLauncher.INI -> %SystemRoot%\GunzLauncher.INI -> [Ver = | Size = 50 bytes | Modified Date = 24/09/2007 3:22:52 PM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 18/11/2007 5:17:52 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 17/11/2007 11:33:02 AM | Attr = HS]
msettings.ini -> %SystemRoot%\msettings.ini -> [Ver = | Size = 21227 bytes | Modified Date = 16/11/2007 9:51:38 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 21/11/2007 4:12:10 AM | Attr = ]
Registration -> %SystemRoot%\Registration -> [Folder | Modified Date = 20/11/2007 5:11:12 AM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 21/11/2007 3:58:16 AM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 16/11/2007 10:05:02 PM | Attr = S]
TEMP -> %SystemRoot%\TEMP -> [Folder | Modified Date = 21/11/2007 3:54:38 AM | Attr = ]
Norton AntiVirus - Scan my computer.job -> %SystemRoot%\tasks\Norton AntiVirus - Scan my computer.job -> [Ver = | Size = 480 bytes | Modified Date = 06/10/2007 8:24:58 AM | Attr = ]
Norton SystemWorks One Button Checkup.job -> %SystemRoot%\tasks\Norton SystemWorks One Button Checkup.job -> [Ver = | Size = 414 bytes | Modified Date = 12/10/2007 4:39:52 PM | Attr = ]
RegSweep Scheduled Scan.job -> %SystemRoot%\tasks\RegSweep Scheduled Scan.job -> [Ver = | Size = 384 bytes | Modified Date = 20/11/2007 3:30:02 AM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 21/11/2007 3:54:06 AM | Attr = H ]
Symantec NetDetect.job -> %SystemRoot%\tasks\Symantec NetDetect.job -> [Ver = | Size = 410 bytes | Modified Date = 21/11/2007 3:55:14 AM | Attr = ]
bbesokwu.ini -> %System32%\bbesokwu.ini -> [Ver = | Size = 982511 bytes | Modified Date = 16/11/2007 3:22:00 AM | Attr = HS]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 20/11/2007 3:30:58 AM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 17/11/2007 7:46:48 AM | Attr = ]
cqnpvvcu.ini -> %System32%\cqnpvvcu.ini -> [Ver = | Size = 678100 bytes | Modified Date = 17/11/2007 7:42:40 AM | Attr = HS]
dbkyxrru.ini -> %System32%\dbkyxrru.ini -> [Ver = | Size = 537469 bytes | Modified Date = 05/11/2007 4:58:10 PM | Attr = HS]
ddnktgfk.ini -> %System32%\ddnktgfk.ini -> [Ver = | Size = 967822 bytes | Modified Date = 16/11/2007 3:22:02 AM | Attr = HS]
dllcache -> %System32%\dllcache -> [Folder | Modified Date = 19/10/2007 7:54:38 AM | Attr = RHS]
dqvrovni.ini -> %System32%\dqvrovni.ini -> [Ver = | Size = 585214 bytes | Modified Date = 11/11/2007 10:45:46 AM | Attr = HS]
drivers -> %System32%\drivers -> [Folder | Modified Date = 21/11/2007 4:09:52 AM | Attr = ]
dsfkxbxm.ini -> %System32%\dsfkxbxm.ini -> [Ver = | Size = 579438 bytes | Modified Date = 01/11/2007 2:19:30 PM | Attr = HS]
dwfokvjc.ini -> %System32%\dwfokvjc.ini -> [Ver = | Size = 677980 bytes | Modified Date = 16/11/2007 5:53:50 AM | Attr = HS]
ecxebjmi.ini -> %System32%\ecxebjmi.ini -> [Ver = | Size = 585436 bytes | Modified Date = 11/11/2007 3:14:14 PM | Attr = HS]
FNTCACHE.DAT -> %System32%\FNTCACHE.DAT -> [Ver = | Size = 1432816 bytes | Modified Date = 12/10/2007 3:55:46 PM | Attr = ]
gkiuqspp.ini -> %System32%\gkiuqspp.ini -> [Ver = | Size = 1225292 bytes | Modified Date = 15/11/2007 4:43:46 AM | Attr = HS]
hcfdpjnr.ini -> %System32%\hcfdpjnr.ini -> [Ver = | Size = 583166 bytes | Modified Date = 12/11/2007 10:00:28 AM | Attr = HS]
hhovrsxq.ini -> %System32%\hhovrsxq.ini -> [Ver = | Size = 585316 bytes | Modified Date = 11/11/2007 2:06:20 PM | Attr = HS]
instdump.dmp -> %System32%\instdump.dmp -> [Ver = | Size = 86857 bytes | Modified Date = 15/11/2007 3:30:36 PM | Attr = ]
instdump.zip -> %System32%\instdump.zip -> [Ver = | Size = 16324 bytes | Modified Date = 15/11/2007 3:30:48 PM | Attr = ]
itlhywbg.ini -> %System32%\itlhywbg.ini -> [Ver = | Size = 584836 bytes | Modified Date = 10/11/2007 12:39:54 PM | Attr = HS]
Kaspersky Lab -> %System32%\Kaspersky Lab -> [Folder | Modified Date = 18/11/2007 5:17:52 AM | Attr = ]
kxbkryvr.ini -> %System32%\kxbkryvr.ini -> [Ver = | Size = 585616 bytes | Modified Date = 11/11/2007 5:30:16 PM | Attr = HS]
leatiraq.ini -> %System32%\leatiraq.ini -> [Ver = | Size = 671187 bytes | Modified Date = 14/11/2007 3:41:04 PM | Attr = HS]
lotlaluc.ini -> %System32%\lotlaluc.ini -> [Ver = | Size = 590836 bytes | Modified Date = 12/11/2007 12:00:18 PM | Attr = HS]
lpbhfxyk.ini -> %System32%\lpbhfxyk.ini -> [Ver = | Size = 591196 bytes | Modified Date = 12/11/2007 8:07:58 PM | Attr = HS]
lxbrhfps.ini -> %System32%\lxbrhfps.ini -> [Ver = | Size = 584596 bytes | Modified Date = 10/11/2007 9:30:42 AM | Attr = HS]
lycwdiyd.ini -> %System32%\lycwdiyd.ini -> [Ver = | Size = 584965 bytes | Modified Date = 10/11/2007 2:33:30 PM | Attr = HS]
mbpnebfm.ini -> %System32%\mbpnebfm.ini -> [Ver = | Size = 585076 bytes | Modified Date = 10/11/2007 5:18:18 PM | Attr = HS]
mqufbcvp.ini -> %System32%\mqufbcvp.ini -> [Ver = | Size = 669740 bytes | Modified Date = 15/11/2007 4:02:56 PM | Attr = HS]
nwkhsxrc.ini -> %System32%\nwkhsxrc.ini -> [Ver = | Size = 669053 bytes | Modified Date = 13/11/2007 6:11:10 PM | Attr = HS]
oucyvwav.ini -> %System32%\oucyvwav.ini -> [Ver = | Size = 591136 bytes | Modified Date = 12/11/2007 8:07:58 PM | Attr = HS]
perfc009.dat -> %System32%\perfc009.dat -> [Ver = | Size = 40108 bytes | Modified Date = 21/11/2007 3:58:16 AM | Attr = ]
perfh009.dat -> %System32%\perfh009.dat -> [Ver = | Size = 311912 bytes | Modified Date = 21/11/2007 3:58:16 AM | Attr = ]
PerfStringBackup.INI -> %System32%\PerfStringBackup.INI -> [Ver = | Size = 356120 bytes | Modified Date = 21/11/2007 3:58:16 AM | Attr = ]
pjeqpwsh.ini -> %System32%\pjeqpwsh.ini -> [Ver = | Size = 590956 bytes | Modified Date = 12/11/2007 12:41:12 PM | Attr = HS]
qqjpftxi.ini -> %System32%\qqjpftxi.ini -> [Ver = | Size = 669113 bytes | Modified Date = 13/11/2007 6:18:00 PM | Attr = HS]
rlpfkqto.ini -> %System32%\rlpfkqto.ini -> [Ver = | Size = 478974 bytes | Modified Date = 07/11/2007 9:09:48 PM | Attr = HS]
rlpfkqto.tmp -> %System32%\rlpfkqto.tmp -> [Ver = | Size = 478974 bytes | Modified Date = 07/11/2007 9:09:54 PM | Attr = ]
rnwrakxr.ini -> %System32%\rnwrakxr.ini -> [Ver = | Size = 487610 bytes | Modified Date = 07/11/2007 7:49:18 PM | Attr = HS]
syvnivnd.ini -> %System32%\syvnivnd.ini -> [Ver = | Size = 549891 bytes | Modified Date = 02/11/2007 2:16:06 PM | Attr = HS]
tgbbnlro.ini -> %System32%\tgbbnlro.ini -> [Ver = | Size = 577678 bytes | Modified Date = 31/10/2007 3:19:14 PM | Attr = HS]
tgscbiwy.ini -> %System32%\tgscbiwy.ini -> [Ver = | Size = 671187 bytes | Modified Date = 14/11/2007 8:12:56 PM | Attr = HS]
tmirbebl.ini -> %System32%\tmirbebl.ini -> [Ver = | Size = 585616 bytes | Modified Date = 11/11/2007 5:24:32 PM | Attr = HS]
tmp.reg -> %System32%\tmp.reg -> [Ver = | Size = 1338 bytes | Modified Date = 16/11/2007 5:13:40 AM | Attr = ]
twosksuk.ini -> %System32%\twosksuk.ini -> [Ver = | Size = 590716 bytes | Modified Date = 12/11/2007 10:23:02 AM | Attr = HS]
upmyttrs.ini -> %System32%\upmyttrs.ini -> [Ver = | Size = 584476 bytes | Modified Date = 09/11/2007 3:17:52 PM | Attr = HS]
urcopqvc.ini -> %System32%\urcopqvc.ini -> [Ver = | Size = 584545 bytes | Modified Date = 12/11/2007 9:34:24 AM | Attr = HS]
vboglmqe.ini -> %System32%\vboglmqe.ini -> [Ver = | Size = 671247 bytes | Modified Date = 14/11/2007 3:41:10 PM | Attr = HS]
vuctgigm.ini -> %System32%\vuctgigm.ini -> [Ver = | Size = 540084 bytes | Modified Date = 04/11/2007 9:47:12 AM | Attr = HS]
wkdjtltq.ini -> %System32%\wkdjtltq.ini -> [Ver = | Size = 478854 bytes | Modified Date = 07/11/2007 8:27:26 PM | Attr = HS]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 2206 bytes | Modified Date = 15/11/2007 7:11:12 AM | Attr = ]
xvxrwwdk.ini -> %System32%\xvxrwwdk.ini -> [Ver = | Size = 671316 bytes | Modified Date = 15/11/2007 3:19:34 PM | Attr = HS]
yktmqmln.ini -> %System32%\yktmqmln.ini -> [Ver = | Size = 668993 bytes | Modified Date = 13/11/2007 8:01:24 PM | Attr = HS]
yrxytved.ini -> %System32%\yrxytved.ini -> [Ver = | Size = 678040 bytes | Modified Date = 16/11/2007 5:53:18 AM | Attr = HS]
yvsmwyap.ini -> %System32%\yvsmwyap.ini -> [Ver = | Size = 584743 bytes | Modified Date = 10/11/2007 12:21:00 PM | Attr = HS]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 18/11/2007 5:11:24 AM | Attr = ]
[File String Scan - Non-Microsoft Only]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 23/08/2001 7:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 2.0.1.8 | Size = 279552 bytes | Modified Date = 22/07/2007 6:39:28 PM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 23/08/2001 7:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 23/08/2001 7:00:00 AM | Attr = ]
< End of report >
Please visit Virustotal
Infections can change and fresh instructions will now need to be given. This topic is now closed, if you still require assistance then please start a new topic in the Spyware & Virus Removal Forum
If you wish this topic reopened, please send a Private Message (PM) to one of the Spyware Mods with a link to your thread.
Do not bother contacting us if you are not the topic starter. A valid, working link to the closed topic is required.
If you are not the user who started this thread, you must start a new Thread instead