Computer Hope
Software => Computer viruses and spyware => Topic started by: bobbysgirlonly on August 27, 2008, 08:07:34 PM
-
i am having several issues, but the main one is that i cannot download .exe files. when trying to i get a box that states "your current security settings do not allow this file to download."
i don't know what security setting they are talking about. i went to the internet options and changed all of the security settings to default, and stupidly i also deleted my AVG antivirus, thinking that was the problem and i would be able to redownload it, but NO, i still can't. i have reinstalled AVG.
the other day, i'm sure it is related, but when i have a web page open, from somewhere a "message" starts playing, there are no other windows open and i know it is not coming from the page that i have open. it is someone speaking, about a gift card, and another was something else, and after a few minutes the whole window would shut down. this has stopped so far, i didn't do anything except the normal virus scans that run every night
i cannot restore my system from any of the restore points. also some of the trojan popups are listed as restore something or other, when i click on heal or move to vault i get no file exsists or something like that.
i also created another user on my computer and i am able to download from that user name, just not my current name. and i don't know if it is related, but when i try to switch users, i cannot, i have to log off of the one to access the other.
another problem, again, i don't know if it is related, but want to give you all the info, under device manager there is an exclamation point by the
SCSI/RAID CONTROLLERS-then listed is A5Z04NRK IDE controller.
i don't know what that is and no other info is given about it. i have tried to update the driver, but i get a message saying not available or something, but whenever i reboot or restart, the box pops up that new hardware is found and it wants me to install, but i can't and seeing how i don't even know what this is, i don't know if i have a disc to update anything.
the last probelm, so far, that i HAVE resolved was that i could not get onto the internet. i checked some back posts online and did a reset of the ip something and the winsock, and that got me back online....it was just this computer that could not access the internet, i have another computer also networked and through the same modem and router and it worked just fine.
i don't get it this ALL started happening at the same time, ANY help would be greatly apprciated!! thank you
-
There are certainly a lot of issues, some of which may not be virus-related. Let's start here...
http://www.computerhope.com/forum/index.php/topic,46313.0.html
-
thanks for replying!
step 1-ok
step 2- i couldn't download the .exe file so i ran an old version that i already have
step 3-ok
step 4- can't downlaod the .exe file
step 5-ok
step 6- i could do the installing and changing name, but i did just run the program and the log is below (have to make seperate posts posts....too long)
-
here is the spyware log PART1
SUPERAntiSpyware Scan Log
http://www.superantispyware.com
Generated 08/28/2008 at 07:18 AM
Application Version : 4.15.1000
Core Rules Database Version : 3550
Trace Rules Database Version: 1538
Scan type : Complete Scan
Total Scan Time : 04:48:58
Memory items scanned : 493
Memory threats detected : 9
Registry items scanned : 6952
Registry threats detected : 228
File items scanned : 203621
File threats detected : 94
Trojan.Unclassified/AFinding
C:\WINNT\SYSTEM32\AFINDING.EXE
C:\WINNT\SYSTEM32\AFINDING.EXE
C:\WINNT\Prefetch\AFINDING.EXE-140E2AAA.pf
Trojan.Unclassified/Routing-C
C:\WINNT\SYSTEM32\ROUTING.EXE
C:\WINNT\SYSTEM32\ROUTING.EXE
C:\WINNT\Prefetch\ROUTING.EXE-0171ABE9.pf
Trojan.Unclassified/WServing
C:\WINNT\SYSTEM32\WSERVING.EXE
C:\WINNT\SYSTEM32\WSERVING.EXE
C:\WINNT\Prefetch\WSERVING.EXE-059E66CB.pf
Trojan.Downloader-Gen
C:\WINNT\SYSTEM32\NOXTCYR.EXE
C:\WINNT\SYSTEM32\NOXTCYR.EXE
C:\WINNT\SYSTEM32\WSLDOEKD.EXE
C:\WINNT\SYSTEM32\WSLDOEKD.EXE
C:\WINNT\SYSTEM32\AFISICX.EXE
C:\WINNT\SYSTEM32\AFISICX.EXE
C:\WINNT\SYSTEM32\ODUXFTW.SYS
C:\WINNT\Prefetch\AFISICX.EXE-00E77411.pf
C:\WINNT\Prefetch\NOXTCYR.EXE-22BE6428.pf
C:\WINNT\Prefetch\ODUXFTW.SYS-305E05DA.pf
C:\WINNT\Prefetch\WSLDOEKD.EXE-1943F162.pf
Trojan.Unclassified/TDXDOWKC
C:\WINNT\SYSTEM32\TDXDOWKC.EXE
C:\WINNT\SYSTEM32\TDXDOWKC.EXE
C:\WINNT\Prefetch\TDXDOWKC.EXE-03085329.pf
Trojan.Unclassified/MACIDWE
C:\WINNT\SYSTEM32\MACIDWE.EXE
C:\WINNT\SYSTEM32\MACIDWE.EXE
C:\WINNT\Prefetch\MACIDWE.EXE-146F4834.pf
Trojan.Unclassified/SOBICYT
C:\WINNT\SYSTEM32\SOBICYT.EXE
C:\WINNT\SYSTEM32\SOBICYT.EXE
C:\WINNT\Prefetch\SOBICYT.EXE-02B25CC8.pf
Adware.180solutions/ZangoSearch
C:\Program Files\Zango\bin\10.3.37.0
C:\Program Files\Zango\bin
C:\Program Files\Zango
Adware.Zango Toolbar/Hb
HKU\S-1-5-21-2988323194-1629198992-178024722-1003\Software\zangosa
C:\Documents and Settings\Owner\Application Data\Zango\IESkins
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOI\dynamic
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOI\static
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOI
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL\dynamic
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL\static
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\HostOL
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\1013357.sdf
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\1066422.sdf
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\2355839.sdf
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\3894408.sdf
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\48657.sdf
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\980767.sdf
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\116977
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16173
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\16182
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\205324
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\294723
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\297534
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\34149
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\35020
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\39228
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\422734
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\48241
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\490133
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\49700
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\51194
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\59221
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\63169
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\63882
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\65770
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69625
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\69626
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\711791
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\738460
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744380
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\744999
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\745269
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\749648
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79246
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79977
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML\79986
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\TooltipXML
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic\ustat
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\dynamic
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\1\editblbuttons.res
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\1\sdfmodifier.xml
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\1
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\DownLoad\editblbuttons.xip
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\DownLoad\keywords.idx
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\DownLoad\sdfmodifier.xip
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static\DownLoad
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango\static
C:\Documents and Settings\Owner\Application Data\Zango\v3.0\Zango
C:\Documents and Settings\Owner\Application Data\Zango\v3.0
C:\Documents and Settings\Owner\Application Data\Zango
-
PART 2
Adware.Zango/ShoppingReport
HKCR\CntntCntr.CntntDic
HKCR\CntntCntr.CntntDic\CLSID
HKCR\CntntCntr.CntntDic\CurVer
HKCR\CntntCntr.CntntDic.1
HKCR\CntntCntr.CntntDic.1\CLSID
HKCR\CntntCntr.CntntDisp
HKCR\CntntCntr.CntntDisp\CLSID
HKCR\CntntCntr.CntntDisp\CurVer
HKCR\CntntCntr.CntntDisp.1
HKCR\CntntCntr.CntntDisp.1\CLSID
HKCR\WeatherDPA.WeatherController
HKCR\WeatherDPA.WeatherController\CLSID
HKCR\WeatherDPA.WeatherController\CurVer
HKCR\WeatherDPA.WeatherController.1
HKCR\WeatherDPA.WeatherController.1\CLSID
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}\Implemented Categories
HKCR\CLSID\{8C788AA2-7530-43BE-97B7-4D491F13BEA3}\Implemented Categories\{4EE211FA-DB2E-4D5F-A9B9-9101C5D11D36}
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\0
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\0\win32
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\FLAGS
HKCR\TypeLib\{03D7FF6E-9781-40B5-BB7F-94291A361604}\1.0\HELPDIR
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\0\win32
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\FLAGS
HKCR\TypeLib\{0729F461-8054-47DC-8D39-A31B61CC0119}\1.0\HELPDIR
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\0
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\0\win32
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\FLAGS
HKCR\TypeLib\{148E1447-C728-48FD-BEEC-A7D06C5FFF58}\1.0\HELPDIR
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\0
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\0\win32
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\FLAGS
HKCR\TypeLib\{8292078F-F6E9-412B-8EB1-360C05C5ECE5}\1.0\HELPDIR
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\0
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\0\win32
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\FLAGS
HKCR\TypeLib\{89085678-632D-4DEB-BDA0-CD912C63203E}\1.0\HELPDIR
HKCR\TypeLib\{A56FE01C-77C4-4F5E-8198-E4B72207890A}
HKCR\TypeLib\{A56FE01C-77C4-4F5E-8198-E4B72207890A}\1.0
HKCR\TypeLib\{A56FE01C-77C4-4F5E-8198-E4B72207890A}\1.0\0
HKCR\TypeLib\{A56FE01C-77C4-4F5E-8198-E4B72207890A}\1.0\0\win32
HKCR\TypeLib\{A56FE01C-77C4-4F5E-8198-E4B72207890A}\1.0\FLAGS
HKCR\TypeLib\{A56FE01C-77C4-4F5E-8198-E4B72207890A}\1.0\HELPDIR
HKCR\TypeLib\{ABEC1835-3181-4ABD-8DDE-875AEC4DF6D2}
HKCR\TypeLib\{ABEC1835-3181-4ABD-8DDE-875AEC4DF6D2}\1.0
HKCR\TypeLib\{ABEC1835-3181-4ABD-8DDE-875AEC4DF6D2}\1.0\0
HKCR\TypeLib\{ABEC1835-3181-4ABD-8DDE-875AEC4DF6D2}\1.0\0\win32
HKCR\TypeLib\{ABEC1835-3181-4ABD-8DDE-875AEC4DF6D2}\1.0\FLAGS
HKCR\TypeLib\{ABEC1835-3181-4ABD-8DDE-875AEC4DF6D2}\1.0\HELPDIR
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\0\win32
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\FLAGS
HKCR\TypeLib\{C62A9E79-2B52-439B-AF57-2E60BB06E86C}\1.0\HELPDIR
HKCR\TypeLib\{E2BED8CC-0986-44AF-9C47-F730D79413F9}
HKCR\TypeLib\{E2BED8CC-0986-44AF-9C47-F730D79413F9}\1.0
HKCR\TypeLib\{E2BED8CC-0986-44AF-9C47-F730D79413F9}\1.0\0
HKCR\TypeLib\{E2BED8CC-0986-44AF-9C47-F730D79413F9}\1.0\0\win32
HKCR\TypeLib\{E2BED8CC-0986-44AF-9C47-F730D79413F9}\1.0\FLAGS
HKCR\TypeLib\{E2BED8CC-0986-44AF-9C47-F730D79413F9}\1.0\HELPDIR
HKCR\Interface\{0AF9A087-0CBF-46B2-9DC9-52D0D16B5AB6}
HKCR\Interface\{0AF9A087-0CBF-46B2-9DC9-52D0D16B5AB6}\ProxyStubClsid
HKCR\Interface\{0AF9A087-0CBF-46B2-9DC9-52D0D16B5AB6}\ProxyStubClsid32
HKCR\Interface\{0AF9A087-0CBF-46B2-9DC9-52D0D16B5AB6}\TypeLib
HKCR\Interface\{0AF9A087-0CBF-46B2-9DC9-52D0D16B5AB6}\TypeLib#Version
HKCR\Interface\{15B13E59-924A-4938-AE3C-C4F625F0B1D0}
HKCR\Interface\{15B13E59-924A-4938-AE3C-C4F625F0B1D0}\ProxyStubClsid
HKCR\Interface\{15B13E59-924A-4938-AE3C-C4F625F0B1D0}\ProxyStubClsid32
HKCR\Interface\{15B13E59-924A-4938-AE3C-C4F625F0B1D0}\TypeLib
HKCR\Interface\{15B13E59-924A-4938-AE3C-C4F625F0B1D0}\TypeLib#Version
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\ProxyStubClsid32
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib
HKCR\Interface\{15FD8424-D12A-4C51-8C6C-D5D57B80F781}\TypeLib#Version
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\ProxyStubClsid
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\ProxyStubClsid32
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\TypeLib
HKCR\Interface\{2447E305-5E90-42A8-BD1E-0BC333B807E1}\TypeLib#Version
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\ProxyStubClsid
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\ProxyStubClsid32
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\TypeLib
HKCR\Interface\{2557DD3F-23A0-477C-BCD8-90FD0AECC4B8}\TypeLib#Version
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\ProxyStubClsid
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\ProxyStubClsid32
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\TypeLib
HKCR\Interface\{2893116C-A176-42B1-8794-DA8C9FC45564}\TypeLib#Version
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\ProxyStubClsid
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\ProxyStubClsid32
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\TypeLib
HKCR\Interface\{30B15818-E110-4527-9C05-46ACE5A3460D}\TypeLib#Version
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\ProxyStubClsid
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\ProxyStubClsid32
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\TypeLib
HKCR\Interface\{3CEB04AB-08AF-45F4-81B4-70D13C1F7B85}\TypeLib#Version
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\ProxyStubClsid32
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib
HKCR\Interface\{40CA90F3-4098-4877-AE87-23EB612B18C7}\TypeLib#Version
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\ProxyStubClsid32
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib
HKCR\Interface\{4C3B62AF-CA25-4FBA-8405-32E44F83BB6F}\TypeLib#Version
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\ProxyStubClsid
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\ProxyStubClsid32
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\TypeLib
HKCR\Interface\{50D2FDCC-2707-49CB-8223-7FE0424909AA}\TypeLib#Version
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\ProxyStubClsid32
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib
HKCR\Interface\{5A635A91-C303-45C9-8DB9-F759D98A3B9D}\TypeLib#Version
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\ProxyStubClsid
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\ProxyStubClsid32
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib
HKCR\Interface\{618AAD04-921F-44C2-BE38-C0818AF69861}\TypeLib#Version
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\ProxyStubClsid32
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib
HKCR\Interface\{67B3BECF-7B6F-42B2-99F0-F7656F89CFFA}\TypeLib#Version
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\ProxyStubClsid32
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib
HKCR\Interface\{715FFD42-4E05-4EAB-9513-C8DAA5395AE2}\TypeLib#Version
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\ProxyStubClsid32
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib
HKCR\Interface\{759D6F7C-8D30-45B6-ABEA-FA51C190EED5}\TypeLib#Version
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\ProxyStubClsid
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\ProxyStubClsid32
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\TypeLib
HKCR\Interface\{878CE013-7BA9-4650-A78C-B2234C0C1648}\TypeLib#Version
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\ProxyStubClsid
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\ProxyStubClsid32
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\TypeLib
HKCR\Interface\{8EE46F55-1CE1-4DB9-811A-68938EC7F3DD}\TypeLib#Version
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\ProxyStubClsid32
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib
HKCR\Interface\{99CCFB8C-6380-4A14-8FDD-EF3E7E95335D}\TypeLib#Version
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\ProxyStubClsid
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\ProxyStubClsid32
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\TypeLib
HKCR\Interface\{99FDCA0C-7380-4E9C-8D99-5DC4750334EF}\TypeLib#Version
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\ProxyStubClsid32
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib
HKCR\Interface\{9A4A64A4-A2FB-48FA-9BBA-1AC50267695D}\TypeLib#Version
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\ProxyStubClsid
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\ProxyStubClsid32
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\TypeLib
HKCR\Interface\{A7213D71-47E1-4832-92D7-D61DFE9F231F}\TypeLib#Version
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\ProxyStubClsid
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\ProxyStubClsid32
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\TypeLib
HKCR\Interface\{A87DFD99-CF81-4241-85CE-881E0026B686}\TypeLib#Version
HKCR\Interface\{AF55160D-CDE1-4A8B-8001-66DA06BEE740}
HKCR\Interface\{AF55160D-CDE1-4A8B-8001-66DA06BEE740}\ProxyStubClsid
HKCR\Interface\{AF55160D-CDE1-4A8B-8001-66DA06BEE740}\ProxyStubClsid32
HKCR\Interface\{AF55160D-CDE1-4A8B-8001-66DA06BEE740}\TypeLib
HKCR\Interface\{AF55160D-CDE1-4A8B-8001-66DA06BEE740}\TypeLib#Version
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\ProxyStubClsid
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\ProxyStubClsid32
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\TypeLib
HKCR\Interface\{B1D9F4B1-B9FF-463F-BF15-AB9CB26160F7}\TypeLib#Version
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\ProxyStubClsid
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\ProxyStubClsid32
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib
HKCR\Interface\{B5D2ED96-62F9-4C2C-956D-E425B1F67337}\TypeLib#Version
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\ProxyStubClsid32
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib
HKCR\Interface\{BFC20A15-B0AC-44CC-A25A-A7039014BA9F}\TypeLib#Version
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\ProxyStubClsid
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\ProxyStubClsid32
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\TypeLib
HKCR\Interface\{C96B9FAE-A032-4100-BB47-32EF05E28BE4}\TypeLib#Version
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\ProxyStubClsid
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\ProxyStubClsid32
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\TypeLib
HKCR\Interface\{CF82F350-E1C4-4916-AC12-BA73DB60AFB7}\TypeLib#Version
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\ProxyStubClsid
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\ProxyStubClsid32
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib
HKCR\Interface\{D3A412E8-1E4B-47D2-9B12-F88291F5AFBB}\TypeLib#Version
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\ProxyStubClsid32
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib
HKCR\Interface\{F019AEC4-4C95-46DE-A107-E302473E3B9A}\TypeLib#Version
C:\Documents and Settings\Owner\Application Data\WeatherDPA\Weather\WeatherDPA\Weather_XML
C:\Documents and Settings\Owner\Application Data\WeatherDPA\Weather\WeatherDPA
C:\Documents and Settings\Owner\Application Data\WeatherDPA\Weather\WeatherStartup.xml
C:\Documents and Settings\Owner\Application Data\WeatherDPA\Weather
C:\Documents and Settings\Owner\Application Data\WeatherDPA
Adware.Tracking Cookie
C:\Documents and Settings\Administrator\Cookies\administrator@2o7[1].txt
C:\Documents and Settings\Administrator\Cookies\[email protected][1].txt
C:\Documents and Settings\test\Cookies\test@2o7[1].txt
C:\Documents and Settings\test\Cookies\[email protected][1].txt
C:\Documents and Settings\test\Cookies\[email protected][1].txt
C:\Documents and Settings\test\Cookies\[email protected][1].txt
C:\Documents and Settings\test\Cookies\test@atwola[1].txt
C:\Documents and Settings\test\Cookies\[email protected][1].txt
C:\Documents and Settings\test\Cookies\test@specificclick[1].txt
BearShare File Sharing Client
C:\PROGRAM FILES\BEARSHARE\BEARSHARE.EXE
-
HIGHJACK THIS LOG:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:08:53 PM, on 8/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\roxtctm.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Program Files\IncrediMail\bin\ImNotfy.exe
C:\Documents and Settings\Owner\Desktop\sniper.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7A23A1E8-B2AB-4C50-AD12-9E19B747E17C} - (no file)
O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600 (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P33 "EPSON Stylus Photo RX600 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKUS\S-1-5-18\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.3.4.64/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Sametime Meeting Toolkit ST25 -
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud12.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: AVGRSSTX.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINNT\system32\AFinding.exe (file missing)
O23 - Service: afisicx Manages messages (afisicx) - Unknown owner - C:\WINNT\system32\afisicx.exe (file missing)
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINNT\system32\macidwe.exe (file missing)
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINNT\system32\Nobicyt.exe (file missing)
O23 - Service: noxtcyr Corporation inc. (noxtcyr) - Unknown owner - C:\WINNT\system32\noxtcyr.exe (file missing)
O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
O23 - Service: routing Service (routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)
O23 - Service: roxtctm Co. Ltd. (roxtctm) - Unknown owner - C:\WINNT\system32\roxtctm.exe
O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINNT\system32\sobicyt.exe (file missing)
O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINNT\system32\tdxdowkc.exe (file missing)
O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINNT\system32\WServing.exe (file missing)
O23 - Service: wsldoekd Manages messages (wsldoekd) - Unknown owner - C:\WINNT\system32\wsldoekd.exe (file missing)
--
End of file - 11316 bytes
-
I see why you were having so many problems. Very bad infection! But it is fixable.
Open HijackThis and select Do a system scan only.
Place a check mark next to the following entries: (if there)
- R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
- R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
- O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll (file missing)
- O2 - BHO: (no name) - {7A23A1E8-B2AB-4C50-AD12-9E19B747E17C} - (no file)
- O2 - BHO: Zango - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
- O3 - Toolbar: (no name) - {90B8B761-DF2B-48AC-BBE0-BCC03A819B3B} - (no file)
- O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
- O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyPoker\PartyPoker.exe (file missing)
- O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
- O16 - DPF: {A7EA8AD2-287F-11D3-B120-006008C39542} (CBSTIEPrint Class) - http://offers.e-centives.com/cif/download/bin/actxcab.cab
- O16 - DPF: {AB29A544-D6B4-4E36-A1F8-D3E34FC7B00A} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
- O23 - Service: afinding Service (afinding) - Unknown owner - C:\WINNT\system32\AFinding.exe (file missing)
- O23 - Service: afisicx Manages messages (afisicx) - Unknown owner - C:\WINNT\system32\afisicx.exe (file missing)
- O23 - Service: macidwe Service (macidwe) - Unknown owner - C:\WINNT\system32\macidwe.exe (file missing)
- O23 - Service: nobicyt Service (nobicyt) - Unknown owner - C:\WINNT\system32\Nobicyt.exe (file missing)
- O23 - Service: noxtcyr Corporation inc. (noxtcyr) - Unknown owner - C:\WINNT\system32\noxtcyr.exe (file missing)
- O23 - Service: perfs Service (perfs) - Unknown owner - C:\WINNT\system32\perfs.exe (file missing)
- O23 - Service: routing Service (routing) - Unknown owner - C:\WINNT\system32\routing.exe (file missing)
- O23 - Service: roxtctm Co. Ltd. (roxtctm) - Unknown owner - C:\WINNT\system32\roxtctm.exe
- O23 - Service: sobicyt Service (sobicyt) - Unknown owner - C:\WINNT\system32\sobicyt.exe (file missing)
- O23 - Service: tdxdowkc Service (tdxdowkc) - Unknown owner - C:\WINNT\system32\tdxdowkc.exe (file missing)
- O23 - Service: wserving Service (wserving) - Unknown owner - C:\WINNT\system32\WServing.exe (file missing)
- O23 - Service: wsldoekd Manages messages (wsldoekd) - Unknown owner - C:\WINNT\system32\wsldoekd.exe (file missing)
.
Important: Close all windows except for HijackThis and then click Fix checked.
Exit HijackThis.
----------
Please download this file ComboFix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop but do not run it yet.
1. Go to Start > Run > type Notepad.exe and click OK to open Notepad.
It must be Notepad, not Wordpad.
2. Copy the text in the below code box by highlighting all the text and pressing Ctrl+C
KillAll::
File::
C:\WINNT\system32\AFinding.exe
C:\WINNT\system32\afisicx.exe
C:\WINNT\system32\macidwe.exe
C:\WINNT\system32\Nobicyt.exe
C:\WINNT\system32\noxtcyr.exe
C:\WINNT\system32\perfs.exe
C:\WINNT\system32\routing.exe
C:\WINNT\system32\roxtctm.exe
C:\WINNT\system32\sobicyt.exe
C:\WINNT\system32\tdxdowkc.exe
C:\WINNT\system32\WServing.exe
C:\WINNT\system32\wsldoekd.exe
3. Go to the Notepad window and click Edit > Paste
4. Then click File > Save
5. Name the file CFScript.txt - Save the file to your Desktop
6. Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!
(http://i154.photobucket.com/albums/s258/evilfantasy69/CFScript-1.gif)
ComboFix will begin to execute, just follow the prompts.
After reboot (in case it asks to reboot), it will produce a log for you.
Post that log (Combofix.txt) in your next reply.
Note: Do not mouseclick ComboFix's window while it is running. That may cause your system to freeze
-
thanks for the quick reply
i did the highjack this part you described, but i can NOT download the combofix thing......i still cannot download any .exe files, is there a .zip file for that??
thanks again, i finally have some hope that this can finally be fixed!!
-
Lets try this.
Go to Start > Run and type Notepad.exe then click OK.
Copy and paste the following text within the code box into the new Notepad file.
@ECHO OFF
sc stop afinding
sc delete afinding
sc stop afisicx
sc delete afisicx
sc stop macidwe
sc delete macidwe
sc stop nobicyt
sc delete nobicyt
sc stop perfs
sc delete perfs
sc stop routing
sc delete routing
sc stop roxtctm
sc delete roxtctm
sc stop sobicyt
sc delete sobicyt
sc stop tdxdowkc
sc delete tdxdowkc
sc stop wserving
sc delete wserving
sc stop wsldoekd
sc delete wsldoekd
sc stop noxtcyr
sc delete noxtcyr
exit
In Notepad select File and Save as
Choose the Save to location to be the Desktop and for the File name: type in fixme.bat making sure that the Save as type field says All files.
Next double click fixservice.bat to run it.
A black box should open and close after a short time, this is normal.
Do not continue until the black box has closed
Delete fixservice.bat from the Desktop and restart the computer.
Now try to download and run ComboFix.
-
i still cannot download it, i keep getting this:
well i got a screen shot of it, but i don't know how to insert images here.....
i did remember that if i switch users, i can download on the other user i made, i will try to access that from there and download........i'll let you know if it works.
-
Post a new HijackThis log so I can see if the fixme.bat worked.
-
well i thought i had it, i dowloaded it to my desktop from the other username, it was on my desktop, but when i would drag the file over to it i would get the errorwindows cannot access the specified device, path, or file. you may not have the appropriate permission to access the item.
here is the current HJT log
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:10 AM, on 8/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\sotpeca.exe
C:\WINNT\System32\svchost.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\SK9910DM.EXE
C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE
C:\WINNT\system32\hkcmd.exe
C:\WINNT\GWMDMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\PROGRA~1\Magentic\bin\MgApp.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AVG\AVG8\aAvgApi.exe
C:\Documents and Settings\Owner\Desktop\sniper.exe.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [Hot Key Kbd 9910 Daemon] SK9910DM.EXE
O4 - HKLM\..\Run: [GWMDMpi] C:\WINNT\GWMDMpi.exe
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P24 "EPSON Stylus Photo RX600" /O6 "USB001" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [IgfxTray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [GWMDMMSG] GWMDMMSG.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINNT\system32\NeroCheck.exe
O4 - HKLM\..\Run: [EPSON Stylus Photo RX600 (Copy 1)] C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE /P33 "EPSON Stylus Photo RX600 (Copy 1)" /O5 "LPT1:" /M "Stylus Photo RX600"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [Magentic] C:\PROGRA~1\Magentic\bin\Magentic.exe /c
O4 - HKUS\S-1-5-18\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [IncrediMail] C:\Program Files\IncrediMail\bin\IncMail.exe /c (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O10 - Unknown file in Winsock LSP: c:\winnt\system32\nwprovau.dll
O16 - DPF: Dice Derby by pogo - http://game1.pogo.com/applet-6.3.4.64/checkeredflag/checkeredflag-ob-assets.cab
O16 - DPF: Sametime Meeting Toolkit ST25 -
O16 - DPF: Tornado 21 - http://download.games.yahoo.com/games/clients/y/t21t0_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/games/clients/y/dct4_x.cab
O16 - DPF: Yahoo! Dots - http://download.games.yahoo.com/games/clients/y/dtt1_x.cab
O16 - DPF: Yahoo! Euchre - http://download.games.yahoo.com/games/clients/y/et1_x.cab
O16 - DPF: Yahoo! Gin - http://download.games.yahoo.com/games/clients/y/nt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/games/clients/y/zt3_x.cab
O16 - DPF: Yahoo! NFL GameChannel StatTracker - http://aud12.sports.sc5.yahoo.com/java/y/nflgcst1010_x.cab
O16 - DPF: Yahoo! Word Racer - http://download.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} - http://download.weatherbug.com/minibug/tricklers/AWS/MiniBugTransporter.cab?RND=
O16 - DPF: {2D8ED06D-3C30-438B-96AE-4D110FDC1FB8} (ActiveScan 2.0 Installer Class) - http://acs.pandasoftware.com/activescan/cabs/as2stubie.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photos.walmart.com/WalmartActivia.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1006.cab
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} (Kodak Gallery Easy Upload Manager Class) - http://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://www.nick.com/common/groove/gx/GrooveAX27.cab
O16 - DPF: {A662DA7E-CCB7-4743-B71A-D817F6D575DF} - http://www.autodesk.com/global/dwfviewer/installer/DwfViewerSetup.cab
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: AVGRSSTX.DLL,avgrsstx.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V6 (AdobeActiveFileMonitor6.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe
O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINNT\system32\LEXBCES.EXE
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Unknown owner - C:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: sotpeca Portable Media Serial Service (sotpeca) - Unknown owner - C:\WINNT\system32\sotpeca.exe
--
End of file - 8785 bytes
-
Just try to run ComboFix with the below instructions.
Note: If you get an error then right click and rename ComboFix to Combo-Fix then try again.
Close any open Web browsers. (Firefox, Internet Explorer, etc) before starting ComboFix.
Double click combofix.exe & follow the prompts.
When finished ComboFix will produce a log for you.
Post the ComboFix log in your next reply.
Important: Do not mouseclick ComboFix's window while it is running. That may cause it to stall.
-
ok, combo fix hates me!
i still keep getting the same error, even after renaming it
can i try and run it under the other user name, or will it not access all the same files or whatever needs fixed??
-
Try this. If it doesn't work then try to run it from the other account.
Close all other browser windows.
Go to Start > Run and copy/paste in the following:
"%userprofile%\desktop\combo-fix.exe" /killall
Press Enter and Combofix will begin to run.
When finished, it will produce a log file located at C:\ComboFix.txt
Post the contents of that log in your next reply.
Note: Do not mouseclick combofix's window while it is running. That may cause your system to stall.
-
PART 1, HAVE TO DO THIS IS SEPERATE POSTS...........
i had to run this from the other user account, i was still getting the error
ComboFix 08-08-28.04 - test 2008-08-29 2:07:36.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.675 [GMT -4:00]
Running from: C:\Documents and Settings\test\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\test\Desktop\cfscript.txt
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
FILE ::
C:\WINNT\system32\AFinding.exe
C:\WINNT\system32\afisicx.exe
C:\WINNT\system32\macidwe.exe
C:\WINNT\system32\Nobicyt.exe
C:\WINNT\system32\noxtcyr.exe
C:\WINNT\system32\perfs.exe
C:\WINNT\system32\routing.exe
C:\WINNT\system32\roxtctm.exe
C:\WINNT\system32\sobicyt.exe
C:\WINNT\system32\tdxdowkc.exe
C:\WINNT\system32\WServing.exe
C:\WINNT\system32\wsldoekd.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\2ACA5CC3-0F83-453D-A079-1076FE1A8B65
C:\Documents and Settings\All Users\Application Data\ZangoSA
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA.dat
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSA_kyf.dat
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAAbout.mht
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAau.dat
C:\Documents and Settings\All Users\Application Data\ZangoSA\ZangoSAEula.mht
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Free
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Free\DriveCleaner HomePage.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Free\DriveCleaner Online Manual.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Free\DriveCleaner Online Support.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Free\DriveCleaner.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\DriveCleaner Free\Uninstall DriveCleaner.lnk
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\2CH5FVZ4\bin.clearspring.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\2CH5FVZ4\bin.clearspring.com\clearspring.sol
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\2CH5FVZ4\interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\#SharedObjects\2CH5FVZ4\interclick.com\ud.sol
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#bin.clearspring.com\settings.sol
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com
C:\Documents and Settings\LocalService\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#interclick.com\settings.sol
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free
C:\Documents and Settings\Owner\Application Data\DriveCleaner Free\Logs\update.log
C:\Documents and Settings\Owner\err.log
C:\Documents and Settings\Owner\ResErrors.log
C:\Program Files\Common Files\DriveCleaner Free
C:\Program Files\outlook
C:\Program Files\outlook\p.zip
C:\Program Files\Screensavers.com
C:\Program Files\screensavers.com\Installer\bin\siuninst.exe
C:\Program Files\winupdate
C:\RECYCLER\desktop.ini
C:\setup.exe
C:\WINNT\Downloaded Program Files\setup.inf
-
PART 2..........
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\music\mainmenumusic.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\areabomb.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\beetlezap.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonusrow.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonustimer.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bucketfilled.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\clearpyramid.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1a.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1b.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1c.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2a.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2b.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2c.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\colorchain.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\dialogbox.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\drumbeat.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\fillrow.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\gateopen.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\helptip.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\powerup.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\rotateboardleft.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\timerup.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning2.ogg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\artifacts-bb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\bar.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber0.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber1.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\circledoor.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\full_screen_dialog.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_large.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_small.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_large.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_small.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hexfield.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hidden-artifact_icon.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\large_dialog.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\local-hs-bb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\mainmenu.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\small_dialog.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\textfield.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\trifield.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetletatoo.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\dirt.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpost.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpostovr.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\tritop.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkdown.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkup.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_down.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_over.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_up.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknob.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknobover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderrail.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\anwar\look\pl0001.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\bast\look\bl0001.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\kristine\look\kl0001.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\crackedstopper.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\cursor.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\doorlights.txt
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\jackarmstrong.mvec
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\lithos.mvec
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\greybomb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\arrowkeys.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\helptip.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\levels\levels.dat
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\disk.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\equilateraltriangle.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\flattri.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\pyramid.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\quad.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\rotatingpyramid.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\scarabpanel.mesh
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\p1icon.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-0.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-1.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-0-1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-1-1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\scorecloud.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\setup.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\areashockwave.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_starter.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_tail.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\flash.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\rubble.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\splash\playfirst_logo.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue0\snake_dirty.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\arm01_dirty.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\mask01_1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\statue01_dirty.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\stopper.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\timer.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\timerglow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\timericon.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\tm.png
-
PART 3...........
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabomb.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabombrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\blue.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bluerollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\boardfill.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bricktip.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared5.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared6.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye1.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye2.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye3.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye4.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\green.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\greenrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-blue.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-bluerollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-green.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-greenrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-red.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-redrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellowrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\red.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\redrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wild.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wildrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellowrollover.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image0.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image1.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image2.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image3.jpg
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\bluebucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\buckettriangle.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chainlink.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chaintip.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\genericbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\greenbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\redbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallblue.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallgreen.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallred.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallyellow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnglow.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnplatform.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\yellowbucket.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\assets\warning.png
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\error.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\game.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\gameover.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscore.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoreinfo.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoresubmit.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\instructions.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\leveldesign.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\levelover.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainarcade.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainconfirm.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\maincontinue.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\maingames.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainpuzzle.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\maphelptip.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\options.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\pause.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\quitconfirm.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\start.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\storyplayer.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\style.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\screens\upsell.lua
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\strings.xml
C:\WINNT\Downloaded Program Files\TriJinx.1.0.0.55\TriJinx.exe
-
PART 4.........
C:\WINNT\Install.txt
C:\WINNT\SNMPAPI.DLL
C:\WINNT\system32\atsxyzd.sys
C:\WINNT\system32\comsa32.sys
C:\WINNT\system32\KBPK080812.log
C:\WINNT\system32\roxtctm.exe
C:\WINNT\system32\rtl60.bpl
C:\WINNT\system32\sotpeca.exe
C:\WINNT\system32\syspilog.pil
C:\WINNT\system32\tmp0_239842534757.bk
C:\WINNT\system32\tmp0_298631483972.bk
C:\WINNT\system32\tmp0_362277416365.bk
C:\WINNT\system32\tmp0_483464206746.bk
C:\WINNT\system32\tmp0_752986259741.bk
C:\WINNT\system32\tmp1_2683186973.bk
C:\WINNT\system32\tmp1_279757721191.bk
C:\WINNT\system32\tmp1_280093609914.bk
C:\WINNT\system32\tmp1_348577106913.bk
C:\WINNT\system32\tmp1_85396553527.bk
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_AFISICX
-------\Legacy_MACIDWE
-------\Legacy_NOXTCYR
-------\Legacy_ROXTCTM
-------\Legacy_SEUICTOL
-------\Legacy_SOBICYT
-------\Legacy_SOTPECA
-------\Legacy_TDXDOWKC
-------\Legacy_WSLDOEKD
-------\Service_seuictol
-------\Service_sotpeca
((((((((((((((((((((((((( Files Created from 2008-07-28 to 2008-08-29 )))))))))))))))))))))))))))))))
.
2008-08-24 14:33 . 2008-08-24 14:33 <DIR> d---s---- C:\Documents and Settings\Administrator\UserData
2008-08-19 02:00 . 2008-08-28 08:46 <DIR> d--h----- C:\$AVG8.VAULT$
2008-08-19 01:58 . 2008-08-19 02:00 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVGTOOLBAR
2008-08-19 01:52 . 2008-08-29 01:14 <DIR> d-------- C:\WINNT\system32\drivers\Avg
2008-08-19 01:52 . 2008-08-19 01:56 <DIR> d-------- C:\Documents and Settings\test\Application Data\AVGTOOLBAR
2008-08-19 01:52 . 2008-08-29 01:11 97,928 --a------ C:\WINNT\system32\drivers\avgldx86.sys
2008-08-19 01:52 . 2008-08-19 01:52 76,040 --a------ C:\WINNT\system32\drivers\avgtdix.sys
2008-08-19 01:52 . 2008-08-19 01:52 10,520 --a------ C:\WINNT\system32\avgrsstx.dll
2008-08-19 01:51 . 2008-08-19 01:51 <DIR> d-------- C:\Program Files\AVG
2008-08-19 01:41 . 2008-08-19 01:41 <DIR> d---s---- C:\Documents and Settings\test\UserData
2008-08-19 00:32 . 2008-08-19 00:32 0 --a------ C:\WINNT\system32\Je5qtC11.exe.a_a
2008-08-17 22:26 . 2008-06-19 17:24 28,544 --a------ C:\WINNT\system32\drivers\pavboot.sys
2008-08-17 12:29 . 2008-08-17 12:29 <DIR> d---s---- C:\Documents and Settings\LocalService\UserData
2008-08-17 11:49 . 2008-08-17 11:49 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AdobeUM
2008-08-16 21:30 . 2003-08-02 12:52 <DIR> d-------- C:\Documents and Settings\test\Application Data\Symantec
2008-08-16 21:30 . 2003-08-02 12:50 <DIR> d-------- C:\Documents and Settings\test\Application Data\InterTrust
2008-08-16 21:30 . 2008-08-19 01:41 <DIR> d-------- C:\Documents and Settings\test
2008-08-16 19:13 . 2008-08-19 01:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-08-16 16:05 . 2008-05-01 10:30 331,776 --------- C:\WINNT\system32\dllcache\msadce.dll
2008-08-13 13:39 . 2008-08-13 13:39 <DIR> d-------- C:\windows
2008-08-06 17:38 . 2008-08-06 17:38 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\UNOUndercover
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-29 05:08 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-08-28 23:53 --------- d-----w C:\Program Files\Java
2008-08-28 06:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-19 06:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-19 05:47 --------- d-----w C:\Program Files\SpywareBlaster
2008-08-17 01:30 --------- d-----w C:\Program Files\Web Publish
2008-08-16 00:54 --------- d-----w C:\Program Files\Google
2008-08-09 17:47 --------- d-----w C:\Program Files\IncrediMail
2008-08-06 21:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\MumboJumbo
2008-08-04 19:32 --------- d-----w C:\Documents and Settings\Owner\Application Data\Sheeplings
2008-07-26 19:20 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-07 20:32 253,952 ----a-w C:\WINNT\system32\es.dll
2008-07-07 20:32 253,952 ------w C:\WINNT\system32\dllcache\es.dll
2008-06-24 16:23 74,240 ----a-w C:\WINNT\system32\mscms.dll
2008-06-24 16:23 74,240 ------w C:\WINNT\system32\dllcache\mscms.dll
2008-06-23 09:49 18,432 ------w C:\WINNT\system32\dllcache\iedw.exe
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\mswsock.dll
2008-06-20 17:41 245,248 ----a-w C:\WINNT\system32\dllcache\mswsock.dll
2008-06-20 17:41 148,992 ----a-w C:\WINNT\system32\dllcache\dnsapi.dll
2008-06-20 10:45 360,320 ----a-w C:\WINNT\system32\dllcache\tcpip.sys
2008-06-20 10:44 138,368 ------w C:\WINNT\system32\dllcache\afd.sys
2008-06-20 09:52 225,920 ----a-w C:\WINNT\system32\dllcache\tcpip6.sys
2008-06-13 13:10 272,128 ------w C:\WINNT\system32\dllcache\bthport.sys
2007-11-10 18:55 115,176 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2006-04-04 20:39 212 ----a-w C:\Program Files\regfix.reg
2006-04-01 20:10 220 ----a-w C:\Documents and Settings\Owner\n.bat
2006-03-30 07:46 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2003-03-04 13:14 45,568 ----a-w C:\Documents and Settings\Owner\onuninst.dll
1998-07-03 20:27 7,488 ----a-w C:\WINNT\inf\unregpn.exe
2007-08-02 07:55 80 --sh--r C:\WINNT\system32\C54E22B8EC.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24 1694208]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 14:22 243072]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"GWMDMpi"="C:\WINNT\GWMDMpi.exe" [2002-08-06 15:24 53248]
"EPSON Stylus Photo RX600"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE" [2003-09-10 03:00 99840]
"IgfxTray"="C:\WINNT\system32\igfxtray.exe" [2005-06-21 17:48 155648]
"HotKeysCmds"="C:\WINNT\system32\hkcmd.exe" [2005-06-21 17:44 126976]
"NeroFilterCheck"="C:\WINNT\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"EPSON Stylus Photo RX600 (Copy 1)"="C:\WINNT\System32\spool\DRIVERS\W32X86\3\E_S4I2M1.EXE" [2003-09-10 03:00 99840]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-23 09:48 282624]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-08-29 01:11 1235736]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"Hot Key Kbd 9910 Daemon"="SK9910DM.EXE" [2001-01-03 14:50 66048 C:\WINNT\system32\SK9910DM.EXE]
"Logitech Utility"="Logi_MwX.Exe" [2002-11-08 05:50 19968 C:\WINNT\LOGI_MWX.EXE]
"GWMDMMSG"="GWMDMMSG.exe" [2002-08-06 15:24 90112 C:\WINNT\GWMDMMSG.exe]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"IncrediMail"="C:\Program Files\IncrediMail\bin\IncMail.exe" [2008-07-24 14:22 243072]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= "C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2008-05-24 13:06 77824]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
2007-04-27 18:21 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=AVGRSSTX.DLL,avgrsstx.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.VDOM"= vdowave.drv
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk
backup=C:\WINNT\pss\Adobe Gamma Loader.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINNT\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
--a------ 2005-06-07 00:46 57344 C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-05-23 09:48 282624 C:\Program Files\QuickTime\qttask.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RemoteControl]
--a------ 2005-01-12 04:01 32768 C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-03-27 16:22 4670968 C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\WINNT\\system32\\LEXPPS.EXE"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"C:\\StubInstaller.exe"=
"C:\\Program Files\\PopCap Games\\Zuma Deluxe\\Zuma.exe"=
"C:\\Program Files\\BearShare\\BearShare.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IMApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncMail.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImpCnt.exe"=
"C:\\Program Files\\Real\\RealOne Player\\trueplay.exe"=
"C:\\Program Files\\Magentic\\bin\\MgImp.exe"=
"C:\\Program Files\\Magentic\\bin\\Magentic.exe"=
"C:\\Program Files\\Magentic\\bin\\MgApp.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImLc.exe"=
"C:\\Program Files\\Zone.com Deluxe Games\\Wheel of Fortune Deluxe\\Wheel of Fortune Deluxe.exe"=
"C:\\Program Files\\Yahoo! Games\\JEOPARDY!\\JEOPARDY!.exe"=
"C:\\Program Files\\IncrediMail\\bin\\IncrediMail_Install.exe"=
"C:\\Program Files\\IncrediMail\\bin\\ImSc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"9420:TCP"= 9420:TCP:Red Swoosh
"5000:UDP"= 5000:UDP:Red Swoosh
R0 pavboot;pavboot;C:\WINNT\system32\drivers\pavboot.sys [2008-06-19 17:24]
R1 AvgLdx86;AVG Free AVI Loader Driver x86;C:\WINNT\system32\Drivers\avgldx86.sys [2008-08-29 01:11]
R2 AdobeActiveFileMonitor6.0;Adobe Active File Monitor V6;C:\Program Files\Adobe\Photoshop Elements 6.0\PhotoshopElementsFileAgent.exe [2007-10-02 15:46]
R2 avg8emc;AVG Free8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-08-29 01:11]
R2 avg8wd;AVG Free8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-08-29 01:11]
R2 AvgTdiX;AVG Free8 Network Redirector;C:\WINNT\system32\Drivers\avgtdix.sys [2008-08-19 01:52]
S3 PCDRDRV;Pcdr Helper Driver;C:\PROGRA~1\PC-DOC~1\DIAGNO~1\PCDRDRV.sys []
S3 StreamSurge;StreamSurge Driver (miniport);C:\WINNT\system32\DRIVERS\ss.sys []
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\d2d5a19a-7530-43d2-baca-7a9ef323da99]
C:\WINNT\system32\wqxuxz.exe
.
Contents of the 'Scheduled Tasks' folder
.
- - - - ORPHANS REMOVED - - - -
MSConfigStartUp-AOLDialer - C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
MSConfigStartUp-DAEMON Tools Lite - C:\Program Files\DAEMON Tools Lite\daemon.exe
MSConfigStartUp-WeatherDPA - C:\Program Files\Zango\bin\10.3.37.0\Weather.exe
MSConfigStartUp-ZangoSA - C:\Program Files\Zango\bin\10.3.37.0\ZangoSA.exe
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-29 02:18:20
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINNT\system32\LEXBCES.EXE
C:\WINNT\system32\LEXPPS.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINNT\system32\wscntfy.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\IncrediMail\bin\IMApp.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
.
**************************************************************************
.
Completion time: 2008-08-29 2:30:19 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-29 06:30:01
Pre-Run: 17,453,203,456 bytes free
Post-Run: 17,586,393,088 bytes free
506 --- E O F --- 2008-08-17 09:06:45
-
OTMoveIt2 by OldTimer (http://download.bleepingcomputer.com/oldtimer/OTMoveIt2.exe)
Note: If you are running on Vista, right-click on OTMoveIt2.exe and choose Run As Administrator.
- Double-click OTMoveIt2.exe to run it.
- Copy the lines in the codebox below.
[/list][kill explorer]
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\d2d5a19a-7530-43d2-baca-7a9ef323da99
C:\WINNT\system32\Je5qtC11.exe.a_a
EmptyTemp
[start explorer]- Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) and paste it in your next reply.
- Close OTMoveIt2
-
like before, i h ad to log on under another iser to be able to download an run the application.......
Explorer killed successfully
< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\d2d5a19a-7530-43d2-baca-7a9ef323da99 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\d2d5a19a-7530-43d2-baca-7a9ef323da99\\ deleted successfully.
C:\WINNT\system32\Je5qtC11.exe.a_a moved successfully.
< EmptyTemp >
File delete failed. C:\WINNT\temp\IM\img66.htm scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\IM\imgF5.htm scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\slu1624.tmp\CATALOG.DAT scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\slu1624.tmp\CCERASER.DLL scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08292008_161556
-
here is the log after reboot
Explorer killed successfully
< HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\d2d5a19a-7530-43d2-baca-7a9ef323da99 >
Registry key HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\d2d5a19a-7530-43d2-baca-7a9ef323da99\\ deleted successfully.
C:\WINNT\system32\Je5qtC11.exe.a_a moved successfully.
< EmptyTemp >
File delete failed. C:\WINNT\temp\IM\img66.htm scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\IM\imgF5.htm scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\slu1624.tmp\CATALOG.DAT scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\slu1624.tmp\CCERASER.DLL scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08292008_161556
Files moved on Reboot...
File move failed. C:\WINNT\temp\IM\img66.htm scheduled to be moved on reboot.
File move failed. C:\WINNT\temp\IM\imgF5.htm scheduled to be moved on reboot.
File move failed. C:\WINNT\temp\slu1624.tmp\CATALOG.DAT scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINNT\temp\slu1624.tmp\CCERASER.DLL
C:\WINNT\temp\slu1624.tmp\CCERASER.DLL NOT unregistered.
File move failed. C:\WINNT\temp\slu1624.tmp\CCERASER.DLL scheduled to be moved on reboot.
-
i tried this again in case i did something wrong, but still got the same results
-
You may end up deleting the account and creating a new one. Sounds like it is corrupted.
Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your Desktop.
Alternate download link (http://majorgeeks.com/ATF_Cleaner_d4949.html)
Note: Vista users must use Run As Administrator (http://vistasupport.mvps.org/run_as_administrator.htm)
- Under Main: Select Files to Delete choose: Select All.
- Click the Empty Selected button.
- If you use Firefox browser click Firefox at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- If you use Opera browser click Opera at the top and choose: Select All
- Click the Empty Selected button.
If you would like to keep your saved passwords click No at the prompt.
- Click Exit on the Main menu to close the program.
Note that your system will run slower for a reboot or two after having used this tool so don't panic.
Important: Restart the computer before continuing.
----------
Run the Kaspersky Online Scanner (http://www.kaspersky.com/virusscanner)
In Microsoft Windows Vista, you must open the Web browser using the Run as Administrator command. From the Desktop right click the icon to open the browser and choose Run as Administrator.
- Click on SCAN NOW
- Click Accept.
- The program will then begin downloading the latest definition files.
- Once the files have been downloaded locate the Scan Settings and have it scan My Computer.
- The scan will take a while, so be patient and let it finish.
When the scan is done, in the Scan is complete window, any infection is displayed.
There is no option to clean/disinfect, however, we need to analyze the information on the report.
To obtain the report:
Click on: Save Report As- Next, in the Save as prompt, Save in area, select: Desktop.
- In the File name area use KScan, or something similar.
- In Save as type: click the drop arrow and select: Text file [*.txt]
- Then, click: Save
(http://i154.photobucket.com/albums/s258/evilfantasy69/Kas-Savetxt.gif)
Copy and paste the Kaspersky Online Scanner Report in your next reply.
Note for Internet Explorer 7 users: If at any time you have trouble viewing the accept button of the license, click on the Zoom tool located at the bottom right of the IE window and set the zoom to 75%. Once the license is accepted, reset to 100%.
-
i think i know the answer, but my electric went out this morning before i got to save the log from the online scanner, do i have to do that all over again to get the log?
-
Without the log we will never know if anything is still infected.
-
it saved as a html doc, so i just copied and pasted, let me know if this is ok.......... thanks again for everything so far!!
KASPERSKY ONLINE SCANNER 7 REPORT
Sunday, August 31, 2008
Operating System: Microsoft Windows XP Home Edition Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Sunday, August 31, 2008 05:30:26
Records in database: 1171636
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
C:\
D:\
E:\
F:\
H:\
Scan statistics
Files scanned 210324
Threat name 29
Infected objects 34
Suspicious objects 0
Duration of the scan 04:34:30
File name Threat name Threats count
C:\Documents and Settings\Owner\Desktop\Utilities\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Program Files\AWS\WeatherBug\WeatherBugInstall.exe Infected: not-a-virus:AdWare.Win32.MyWay.j 1
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe Infected: not-a-virus:AdWare.Win32.180Solutions.ao 1
C:\QooBox\Quarantine\C\WINNT\system32\roxtctm.exe.vir Infected: Trojan.Win32.Agent.abaw 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP530\A0053771.exe Infected: Trojan.Win32.Agent.zja 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP530\A0053772.exe Infected: Trojan.Win32.Agent.zpq 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP530\A0053774.exe Infected: Trojan.Win32.Agent.aasl 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP531\A0053864.exe Infected: Trojan.Win32.Agent.zja 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP531\A0053866.exe Infected: Trojan.Win32.Agent.zgg 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP532\A0053919.exe Infected: Trojan.Win32.Agent.zja 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP532\A0053921.exe Infected: Trojan.Win32.Agent.ziy 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP532\A0053934.exe Infected: Trojan.Win32.Agent.znh 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP535\A0053966.exe Infected: Trojan.Win32.Agent.zrw 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP542\A0054094.exe Infected: Trojan.Win32.Agent.aame 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP542\A0054095.exe Infected: Trojan.Win32.Agent.aawv 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP542\A0054097.exe Infected: Trojan.Win32.Agent.abay 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP542\A0054099.sys Infected: Trojan-Clicker.Win32.VB.buv 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP542\A0054100.exe Infected: Trojan.Win32.Agent.abax 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP542\A0054102.exe Infected: Trojan.Win32.Agent.abbh 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP542\A0054105.sys Infected: Trojan-Clicker.Win32.VB.bvz 1
C:\System Volume Information\_restore{CF79470C-79F7-4821-8E34-8E6EA7D3E7B5}\RP548\A0054413.exe Infected: Trojan.Win32.Agent.abaw 1
C:\WINNT\system32\tmpxr_834124770098.bk Infected: Trojan.Win32.Agent.zjb 1
C:\WINNT\system32\tpszxyd.sys Infected: Trojan.Win32.DNSChanger.iez 1
C:\WINNT\system32\xdufytw.sys Infected: Trojan-Clicker.Win32.VB.bvy 1
F:\Games\Fish Tycoon\FishTycoon.exe Infected: Trojan-Downloader.Win32.Agent.aekl 1
F:\Games\Fishing Craze\FishingCraze.exe Infected: Trojan-Downloader.Win32.Agent.adup 1
F:\Games\IQ Identity Quest\I.Q. Identity Quest.exe Infected: Trojan-Downloader.Win32.Agent.adtb 1
F:\Games\Mystery Case Files Prime Suspects\PrimeSuspects.exe.bak Infected: Trojan-Downloader.Win32.Agent.adla 1
F:\Games\Pat Sajaks Lucky Letters TV Guide Edition\Lucky_Letters_TVG.exe Infected: Trojan-Downloader.Win32.Agent.adpm 1
F:\Games\Pat Sajaks Trivia Gems\TriviaGems.exe Infected: Trojan-Downloader.Win32.Agent.adpm 1
F:\Games\Saints And Sinners Bingo\SSBingo.exe Infected: Trojan-Downloader.Win32.Agent.adnf 1
F:\Games\Sallys Spa\SallysSpa.exe Infected: Trojan-Downloader.Win32.Agent.adis 1
F:\Games\Slingo Quest\SlingoQuest.exe Infected: Trojan-Downloader.Win32.Agent.adnf 1
F:\Games\Yumsters\Yumsters.exe Infected: Trojan-Downloader.Win32.Agent.aefk 1
The selected area was scanned.
-
Uninstall ComboFix
- Click START then RUN
- Now type Combofix /u in the runbox
- Make sure there's a space between Combofix and /u
- Then hit Enter.
.
----------
- Double-click OTMoveIt2.exe to run it.
- Copy the lines in the codebox below.
[kill explorer]
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe
C:\WINNT\system32\tmpxr_834124770098.bk
C:\WINNT\system32\tpszxyd.sys
C:\WINNT\system32\xdufytw.sys
F:\Games\Fish Tycoon\FishTycoon.exe
F:\Games\Fishing Craze\FishingCraze.exe
F:\Games\IQ Identity Quest\I.Q. Identity Quest.exe
F:\Games\Mystery Case Files Prime Suspects\PrimeSuspects.exe.bak
F:\Games\Pat Sajaks Lucky Letters TV Guide Edition\Lucky_Letters_TVG.exe
F:\Games\Pat Sajaks Trivia Gems\TriviaGems.exe
F:\Games\Saints And Sinners Bingo\SSBingo.exe
F:\Games\Sallys Spa\SallysSpa.exe
F:\Games\Slingo Quest\SlingoQuest.exe
F:\Games\Yumsters\Yumsters.exe
EmptyTemp
[start explorer]- Return to OTMoveIt2, right click in the Paste List of Files/Folders to Move window (under the yellow bar) and choose Paste
- Click the red Moveit! button.
- Copy everything in the Results window (under the green bar) and paste it in your next reply.
- Close OTMoveIt2
-
Explorer killed successfully
C:\Program Files\BearShare\Installer\BSInstall5.2.5.1.exe moved successfully.
C:\WINNT\system32\tmpxr_834124770098.bk moved successfully.
C:\WINNT\system32\tpszxyd.sys moved successfully.
C:\WINNT\system32\xdufytw.sys moved successfully.
F:\Games\Fish Tycoon\FishTycoon.exe moved successfully.
F:\Games\Fishing Craze\FishingCraze.exe moved successfully.
F:\Games\IQ Identity Quest\I.Q. Identity Quest.exe moved successfully.
F:\Games\Mystery Case Files Prime Suspects\PrimeSuspects.exe.bak moved successfully.
F:\Games\Pat Sajaks Lucky Letters TV Guide Edition\Lucky_Letters_TVG.exe moved successfully.
F:\Games\Pat Sajaks Trivia Gems\TriviaGems.exe moved successfully.
F:\Games\Saints And Sinners Bingo\SSBingo.exe moved successfully.
F:\Games\Sallys Spa\SallysSpa.exe moved successfully.
F:\Games\Slingo Quest\SlingoQuest.exe moved successfully.
F:\Games\Yumsters\Yumsters.exe moved successfully.
< EmptyTemp >
File delete failed. C:\WINNT\temp\IM\img66.htm scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\IM\imgF5.htm scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\slu1624.tmp\CATALOG.DAT scheduled to be deleted on reboot.
File delete failed. C:\WINNT\temp\slu1624.tmp\CCERASER.DLL scheduled to be deleted on reboot.
Temp folders emptied.
IE temp folders emptied.
Explorer started successfully
OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 08312008_165439
-
Looks good. Time to cleanup.
1. Double click OTMoveIt2.exe to launch it.
If using Vista Right-Click OTMoveIt and choose Run As Administrator
2. Click on the CleanUp! button.
3. OTMoveIt2 will download a list from the Internet, if your firewall or other defensive programs alerts you, allow it access.
4. Click YES at the next prompt (list downloaded, Do you want to begin cleanup process?)
- When finished exit out of OTMoveIt2
.
----------
Set a New Restore Point to prevent possible reinfection from an old one
Setting a new restore point AFTER cleaning your system will enable your computer to roll-back to a clean working state if needed.
- Go to Start > Programs > Accessories > System Tools and click System Restore
- Choose the radio button marked Create a Restore Point on the first screen then click Next Give the Restore Point a name then click Create.
- The new restore point will be stamped with the current date and time. Keep a log of this so you can find it easily should you need to use System Restore.
- Next go to Start > Run and type Cleanmgr
- Click OK
- Click the More Options Tab.
- Click Clean Up in the System Restore section to remove all previous restore points except the newly created clean one.
You can find instructions on how to enable and re-enable system restore here:
Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html) or Windows Vista System Restore Guide (http://www.bleepingcomputer.com/tutorials/tutorial143.html)
.
----------
Use the Secunia Software Inspector (http://secunia.com/software_inspector) to check for out of date software.
- Click Start Now
- Check the box next to Enable thorough system inspection.
- Click Start
- Allow the scan to finish and scroll down to see if any updates are needed.
- Update anything listed.
.
----------
Important: You Need to Update Windows and Internet Explorer regularly to protect your computer from the malware and other security threats that are on the Internet. Go to Microsoft Windows Update (http://windowsupdate.microsoft.com/) and get all critical updates.
----------
To prevent unknown applications from being installed on your computer install WinPatrol 2008 (http://www.winpatrol.com/winpatrol.html)
* Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)
I suggest using SiteAdvisor (http://www.siteadvisor.com/). SiteAdvisor rates sites on business practices and spam. Safety ratings from McAfee SiteAdvisor are based on automated safety tests of Web sites.
SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html) - Secure your Internet Explorer to make it harder for ActiveX programs to run on your computer. Also stop certain cookies from being added to your computer when running Mozilla based browsers like Firefox.
* (http://www.bleepingcomputer.com/tutorials/tutorial49.html)Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/forums/tutorial49.html)
* If you don't know what ActiveX controls are, see here (http://www.webopedia.com/TERM/A/ActiveX_control.html)
Check out Keeping Yourself Safe On The Web (http://evilspages.blogspot.com/2008/05/keeping-yourself-safe-on-web.html) for tips and free tools to help keep you safe in the future.
Also see Slow Computer? It May Not Be Malware (http://evilspages.blogspot.com/2008/05/slow-computer-it-may-not-be-malware.html) for free cleaning/maintenance tools to help keep your computer running smooth.
-
after running clean up it wants to reboot, should i do that now, or wait until i do the rest of what you suggested?
-
Yes you should do that now.
-
it has been almost 2 hours, should this scan still be running?
-
ok, that is all done..........
-
What is?
it has been almost 2 hours, should this scan still be running?
Which scan?
-
it was the secunia one, it is done now.......the only updates i needed were for flash player, real player and winzip, it took a little over 2 hours........
it is ok that i am doing most of this from the other user name right? or should i be doing it on my normal user name? just checking to make sure.........since i still can't download .exe files, i know some of the stuff has to be done on the other user name.
not to jump ahead of where we are but, that system restore we did, is there a way to check that? it may have been because of all the stuff we did so far, but before when trying to restore none of the points would work.
-
Can't remember if I asked, do you have an XP install CD?
-
i don't believe so, i have a gateway computer, so whatever came with that is all i have.......if thhose are even laying around somewhere....we moved not too long ago and this is the last room to be unpacked
-
You may need to create a new profile to use for this one. I think it's been corrupted by the malware.
-
how can i transfer everything i have on the other user name??
-
Using the Files and Settings Transfer Wizard in Windows XP (http://www.microsoft.com/windowsxp/using/setup/expert/crawford_november12.mspx)
-
is there anything i shouldn't transfer, is any files or what not infected? i mean WHAT setting is saying i can't download .exe files? that is driving me nuts!! :)
once i do transfer, is that info still going to be available on my old user name? in case something doesn't transfer that i want/need? i mean if something is saved to "owner", is that going to transfer to my new user name?
if everything transfers ok, do i thien have to delete the old user name..........
sorry if you aren't the person i should be asking all this too, i am just scared to do this, i don't really knoww aht i am doing and don't want to totally mess everything up and lose everything
-
This isn't something I have dealt with very often. You may want to ask in the Windows forum.
Sorry can't be more specific.