Files still remain after scan

Computing.Net > Forums > Security and Virus > Files still remain after scan

Computing.Net: Over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to sign up now, it's free!

Files still remain after scan

Original Message

Name: candygirl003
Date: October 10, 2008 at 22:08:15 Pacific
Subject: Files still remain after scan
OS: windows xp
CPU/Ram: intel
Model/Manufacturer: hp

Comment:

My computer just got infected with a bunch of trojans and spyware..i scanned my computer with malwarebytes but everything isn't gone. There's also this red (X) in by toolbar saying my computer is infected but I don't know if its fake/real. Can anyone help?

Report Offensive Message For Removal

Response Number 1

Name: jabuck
Date: October 11, 2008 at 19:09:10 Pacific

Reply: (edit)

Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Report Offensive Follow Up For Removal

Response Number 2

Name: candygirl003
Date: October 11, 2008 at 20:41:05 Pacific

Reply: (edit)

Malwarebytes' Anti-Malware 1.28
Database version: 1216
Windows 5.1.2600 Service Pack 2
10/11/2008 4:26:26 PM
mbam-log-2008-10-11 (16-26-26).txt
Scan type: Full Scan (C:\|)
Objects scanned: 155206
Time elapsed: 54 minute(s), 6 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 2
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\System Volume Information\_restore{F20DC6C2-5212-4F33-8959-AB7D05D4CDB6}\RP322\A0088129.dll (Adware.Mirar) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\6myw0U4K.exe.a_a (Trojan.Agent) -> Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:36:39 PM, on 10/11/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\System32\igfxtray.exe
C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\SNDVOL32.EXE
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\WINDOWS\system32\6myw0U4K.exe
C:\Program Files\HiJackThis.exe
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://red.clientapps.yahoo.com/cus...
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} -
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} -
C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -
C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program
files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software
Update\HPWuSchd.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3
\hpztsb08.exe
O4 - HKLM\..\Run: [DeviceDiscovery] C:\Program Files\Hewlett-Packard\Digital
Imaging\bin\hpotdd01.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [PhilipsDM] "C:\Program Files\Philips\Philips Device
Manager\Bin\DeviceManager.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1
\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
/Consumer
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKCU\..\Run: [PhilipsLime] "C:\Program Files\Philips\Philips Lime
Service\bin\LimeAlive.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\ypager.exe" -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32
\Macromed\Flash\FlashUtil9b.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [swg] C:\Program
Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Default
user')
O4 - HKUS\.DEFAULT\..\RunOnce: [FlashPlayerUpdate] C:\WINDOWS\system32
\Macromed\Flash\FlashUtil9b.exe (User 'Default user')
O4 - Startup: spamsubtract.lnk = C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft
Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program
Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-
00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program
Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-
00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program
Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-
00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) -
http://housecall-beta.trendmicro.co...
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) -
http://zone.msn.com/binFrameWork/v1...
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) -
http://security.symantec.com/sscv6/...
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program
Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control
Class) - http://www.fileplanet.com/fpdlmgr/c...
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) -
http://zone.msn.com/BinFrameWork/v1...
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) -
http://zone.msn.com/binframework/v1...
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) -
http://v5.windowsupdate.microsoft.c...
1112714159218
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) -
http://security.symantec.com/sscv6/...
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) -
http://download.divx.com/player/Div...
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://www.update.microsoft.com/mic...
1183699002859
O16 - DPF: {74C861A1-D548-4916-BC8A-FDE92EDFF62C} -
http://mediaplayer.walmart.com/inst...
O16 - DPF: {8C279F4E-917E-4CD2-8DF0-D9C73C0CE763} (ZPA_WheelOfFortune Object) -
http://zone.msn.com/bingame/zpagame...
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) -
http://cdn2.zone.msn.com/binFramewo...
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) -
https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) -
http://zone.msn.com/binframework/v1...
O20 - AppInit_DLLs: karna.dat
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program
Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program
Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: getPlus(R) Helper - NOS Microsystems Ltd. - C:\Program
Files\NOS\bin\getPlus_HelperSvc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program
Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: hpdj - HP - C:\DOCUME~1\Owner\LOCALS~1\Temp\hpdj.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation -
c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation -
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation -
C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program
Files\Softex\OmniPass\Omniserv.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton
AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1
\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation -
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program
Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common
Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 9865 bytes

Report Offensive Follow Up For Removal

Response Number 3

Name: jabuck
Date: October 11, 2008 at 21:10:50 Pacific

Reply: (edit)

Go to start> run type in notepad then press ok> format> click to uncheck "word wrap"> exit notepad.
Update java. Go to start> control panel> java> update> update now. (do not install the toolbar)
Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3
Combofix is a powerful tool so follow the instructions exactly or you could damage your computer.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
In your case to run Combofix do the following:
1. Go offline turn off your Norton antivirus, Norton's Script Blocking, and any antispyware that you may have.
2. Run Combofix and save its log.
3. Restart the computer to get the antivirus running again but leave the antispyware programs off until we get the computer cleaned.
4. Post the Combofix log.

Remember to re-enable the protection again afterwards before connecting to the Internet.

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Report Offensive Follow Up For Removal

Response Number 4

Name: candygirl003
Date: October 14, 2008 at 18:37:48 Pacific

Reply: (edit)

ComboFix 08-10-14.07 - Owner 2008-10-14 20:14:29.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.239 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp1.tmp
C:\DOCUME~1\Owner\LOCALS~1\Temp\tmp2.tmp
C:\WINDOWS\brastk.exe
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\music\mainmenumusic.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\areabomb.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\beetlezap.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonusrow.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bonustimer.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\bucketfilled.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\clearpyramid.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1a.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1b.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle1c.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2a.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2b.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\cleartriangle2c.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\colorchain.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\dialogbox.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\drumbeat.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\fillrow.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\gateopen.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\helptip.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\powerup.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\rotateboardleft.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\timerup.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\audio\sfx\warning2.ogg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\artifacts-bb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\bar.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber0.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\chamber1.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\circledoor.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\full_screen_dialog.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_large.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\global-hs-bb_small.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_large.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\help-bb_small.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hexfield.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\hidden-artifact_icon.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\large_dialog.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\local-hs-bb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\mainmenu.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\small_dialog.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\textfield.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\backgrounds\trifield.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetlehover4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetleshock4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\beetletatoo.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\dirt.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpost.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\scarabpostovr.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\beetles\tritop.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowdown_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowleft_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowright_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\arrowup_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowleft_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\bluearrowright_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkdown.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\checkup.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\long_button_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\orange-button_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotleft_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\rotright_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_down.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_over.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\simplebutton_up.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknob.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderknobover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\buttons\sliderrail.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\anwar\look\pl0001.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\bast\look\bl0001.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\characters\kristine\look\kl0001.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\crackedstopper.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\cursor.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\doorlights.txt
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\jackarmstrong.mvec
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\fonts\lithos.mvec
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\greybomb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\arrowkeys.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\helptips\helptip.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\levels\levels.dat
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\disk.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\equilateraltriangle.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\flattri.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\pyramid.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\quad.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\rotatingpyramid.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\models\scarabpanel.mesh
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\p1icon.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-0.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\page1-1.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-0-1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scenes\panel1-1-1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\scorecloud.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\setup.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\areashockwave.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_starter.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\bolt_tail.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\flash.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\rubble.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\sfx\smoke3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\splash\playfirst_logo.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue0\snake_dirty.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\arm01_dirty.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\mask01_1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\statues\statue1\statue01_dirty.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\stopper.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\timer.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\timerglow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\timericon.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\tm.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseblue3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousegreen3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mousered3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\trails\mouseyellow3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabomb.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\areabombrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\blue.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bluerollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\boardfill.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\brick3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\bricktip.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared5.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\clearanim\cleared6.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye1.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye2.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye3.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\eye4.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\green.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\greenrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-blue.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-bluerollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-green.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-greenrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-red.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-redrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\plain_tri-yellowrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\red.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\redrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wild.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\wildrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\triangles\yellowrollover.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image0.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image1.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image2.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\upsell\image3.jpg
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\bluebucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\buckettriangle.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chainlink.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\chaintip.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\genericbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\greenbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\redbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallblue.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallgreen.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallred.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\smallyellow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnglow.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\urnplatform.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\urns\yellowbucket.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\assets\warning.png
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\error.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\game.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\gameover.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscore.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoreinfo.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\hiscoresubmit.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\instructions.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\leveldesign.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\levelover.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainarcade.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainconfirm.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\maincontinue.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\maingames.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\mainpuzzle.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\maphelptip.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\options.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\pause.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\quitconfirm.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\start.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\storyplayer.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\style.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\screens\upsell.lua
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\strings.xml
C:\WINDOWS\Downloaded Program Files\TriJinx.1.0.0.55\TriJinx.exe
C:\WINDOWS\karna.dat
C:\WINDOWS\smdat32a.sys
C:\WINDOWS\smdat32m.sys
C:\WINDOWS\system32\6myw0U4K.exe
C:\WINDOWS\system32\6myw0U4K.exe.a_a
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\Cache\mswinstall.exe
C:\WINDOWS\system32\Cache\Setup.exe
C:\WINDOWS\system32\Cache\trafficgeneration-fran.exe
C:\WINDOWS\system32\karna.dat
C:\WINDOWS\system32\msodae.dll
C:\WINDOWS\Tasks\At1.job
D:\Autorun.inf
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\Legacy_IPRIP
-------\Legacy_ZESOFT
-------\Service_iprip

((((((((((((((((((((((((( Files Created from 2008-09-15 to 2008-10-15 )))))))))))))))))))))))))))))))
.
2008-10-11 00:49 . 2008-10-11 22:59 <DIR> d-------- C:\Program Files\backups
2008-10-11 00:17 . 2008-10-11 00:17 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-10-10 22:40 . 2008-10-10 22:40 717 --a------ C:\WINDOWS\system32\wini104552502.exe
2008-10-10 22:38 . 2008-10-10 23:48 <DIR> d-------- C:\Program Files\kvldqtb
2008-10-10 22:37 . 2008-10-10 23:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\yfozcvuz
2008-09-27 18:03 . 2008-09-27 18:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-27 18:03 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-27 18:03 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 17:05 . 2008-09-21 17:04 30,272 --a------ C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-15 00:56 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-15 00:54 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-15 00:03 --------- d-----w C:\Program Files\Java
2008-10-12 04:00 9,903 ----a-w C:\Program Files\hijackthis.log
2008-10-12 03:37 9,866 ----a-w C:\Program Files\hijackthis10-11.txt
2008-10-11 03:37 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-11 03:37 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-11 02:09 --------- d-----w C:\Program Files\TurboTax
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-16 19:01 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2006-05-07 16:14 4 ----a-w C:\Documents and Settings\Owner\lock.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\{2AE2AF11-423A-415A-BE59-1FADF125AEC5}.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\system32\{07BC977D-5803-4989-9F59-061605E6DFEA}.dat
.
------- Sigcheck -------
2002-08-29 07:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-10 22:37 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhilipsLime"="C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2005-09-08 159744]
"WinFixer 2005"="C:\Program Files\WinFixer 2005\wfx5.exe" [BU]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [BU]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2004-12-31 469824]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-15 520192]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-16 100056]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"ProSiteFinder"="C:\Program Files\ProSiteFinder\prositefinder.exe" [BU]
"AlcxMonitor"="ALCXMNTR.EXE" [2004-09-07 C:\WINDOWS\ALCXMNTR.EXE]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 552960]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-15 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
.
Contents of the 'Scheduled Tasks' folder
2008-08-16 C:\WINDOWS\Tasks\At10.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-05 C:\WINDOWS\Tasks\At11.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-09-03 C:\WINDOWS\Tasks\At12.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-08-17 C:\WINDOWS\Tasks\At13.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-14 C:\WINDOWS\Tasks\At14.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-08 C:\WINDOWS\Tasks\At15.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-12 C:\WINDOWS\Tasks\At16.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-12 C:\WINDOWS\Tasks\At17.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-12 C:\WINDOWS\Tasks\At18.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-12 C:\WINDOWS\Tasks\At19.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-11 C:\WINDOWS\Tasks\At2.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-15 C:\WINDOWS\Tasks\At20.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-15 C:\WINDOWS\Tasks\At21.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-14 C:\WINDOWS\Tasks\At22.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-12 C:\WINDOWS\Tasks\At23.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-12 C:\WINDOWS\Tasks\At24.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-11 C:\WINDOWS\Tasks\At25.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-11 C:\WINDOWS\Tasks\At26.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-11 C:\WINDOWS\Tasks\At27.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-08-16 C:\WINDOWS\Tasks\At28.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-08-16 C:\WINDOWS\Tasks\At29.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-11 C:\WINDOWS\Tasks\At3.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-08-16 C:\WINDOWS\Tasks\At30.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-08-16 C:\WINDOWS\Tasks\At31.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-14 C:\WINDOWS\Tasks\At32.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-09-09 C:\WINDOWS\Tasks\At33.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-08-16 C:\WINDOWS\Tasks\At34.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-05 C:\WINDOWS\Tasks\At35.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-09-03 C:\WINDOWS\Tasks\At36.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-08-17 C:\WINDOWS\Tasks\At37.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-14 C:\WINDOWS\Tasks\At38.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-08 C:\WINDOWS\Tasks\At39.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-08-16 C:\WINDOWS\Tasks\At4.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-12 C:\WINDOWS\Tasks\At40.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-12 C:\WINDOWS\Tasks\At41.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-12 C:\WINDOWS\Tasks\At42.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-12 C:\WINDOWS\Tasks\At43.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-15 C:\WINDOWS\Tasks\At44.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-15 C:\WINDOWS\Tasks\At45.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-14 C:\WINDOWS\Tasks\At46.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-12 C:\WINDOWS\Tasks\At47.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-12 C:\WINDOWS\Tasks\At48.job
- C:\WINDOWS\system32\l8YMQQ0X.exe []
2008-10-11 C:\WINDOWS\Tasks\At49.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-08-16 C:\WINDOWS\Tasks\At5.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-11 C:\WINDOWS\Tasks\At50.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-11 C:\WINDOWS\Tasks\At51.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-09-21 C:\WINDOWS\Tasks\At52.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-09-21 C:\WINDOWS\Tasks\At53.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-09-21 C:\WINDOWS\Tasks\At54.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-09-21 C:\WINDOWS\Tasks\At55.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-14 C:\WINDOWS\Tasks\At56.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-09-21 C:\WINDOWS\Tasks\At57.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-09-21 C:\WINDOWS\Tasks\At58.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-05 C:\WINDOWS\Tasks\At59.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-08-16 C:\WINDOWS\Tasks\At6.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-09-21 C:\WINDOWS\Tasks\At60.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-09-21 C:\WINDOWS\Tasks\At61.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-14 C:\WINDOWS\Tasks\At62.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-08 C:\WINDOWS\Tasks\At63.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-12 C:\WINDOWS\Tasks\At64.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-12 C:\WINDOWS\Tasks\At65.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-12 C:\WINDOWS\Tasks\At66.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-12 C:\WINDOWS\Tasks\At67.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-15 C:\WINDOWS\Tasks\At68.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-15 C:\WINDOWS\Tasks\At69.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-08-16 C:\WINDOWS\Tasks\At7.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-10-14 C:\WINDOWS\Tasks\At70.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-12 C:\WINDOWS\Tasks\At71.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-12 C:\WINDOWS\Tasks\At72.job
- C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe [2008-09-21 17:04]
2008-10-14 C:\WINDOWS\Tasks\At8.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2008-09-09 C:\WINDOWS\Tasks\At9.job
- C:\WINDOWS\system32\6myw0U4K.exe []
2005-05-26 C:\WINDOWS\Tasks\easy Internet sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe [2003-03-12 02:34]
2008-08-30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
2008-10-15 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7dn0gxot.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-14 20:17:56
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-14 20:21:44
ComboFix-quarantined-files.txt 2008-10-15 01:20:55
Pre-Run: 56,008,888,320 bytes free
Post-Run: 56,005,373,952 bytes free
532 --- E O F --- 2008-10-14 18:07:45

Report Offensive Follow Up For Removal

Response Number 5

Name: jabuck
Date: October 14, 2008 at 19:45:39 Pacific

Reply: (edit)

Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\system32\6myw0U4K.exe
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\system32\l8YMQQ0X.exe
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe
C:\WINDOWS\system32\wini104552502.exe

Folder::
C:\Documents and Settings\All Users\Application Data\yfozcvuz
C:\Program Files\kvldqtb
Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinFixer 2005"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AlcxMonitor"=-

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Post a new Combofix log following the previous directions..

Report Offensive Follow Up For Removal


cannot change internet homepage m67m.ocx file SearchAssistant spyware, need help Backdoor.optix TROJAN on my PC !!! Delete Vundo Procedures	stupid spyware est_tst.tst -- is this is a trojen Power scan & Spyware...help!!! unable restore, install, or re-inst How to remove Trojan.NSIS.Voter.a

Response Number 6

Name: candygirl003
Date: October 15, 2008 at 17:48:42 Pacific

Reply: (edit)

ComboFix 08-10-14.07 - Owner 2008-10-15 19:19:40.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.177 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
FILE ::
C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe
C:\WINDOWS\system32\6myw0U4K.exe
C:\WINDOWS\system32\l8YMQQ0X.exe
C:\WINDOWS\system32\wini104552502.exe
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Documents and Settings\All Users\Application Data\yfozcvuz
C:\Program Files\kvldqtb
C:\WINDOWS\system32\6myw0U4K.exe
C:\WINDOWS\system32\6myw0U4K.exe.a_a
C:\WINDOWS\system32\Lq4771f6.dll
C:\WINDOWS\system32\wini104552502.exe
C:\WINDOWS\Tasks\At10.job
C:\WINDOWS\Tasks\At11.job
C:\WINDOWS\Tasks\At12.job
C:\WINDOWS\Tasks\At13.job
C:\WINDOWS\Tasks\At14.job
C:\WINDOWS\Tasks\At15.job
C:\WINDOWS\Tasks\At16.job
C:\WINDOWS\Tasks\At17.job
C:\WINDOWS\Tasks\At18.job
C:\WINDOWS\Tasks\At19.job
C:\WINDOWS\Tasks\At2.job
C:\WINDOWS\Tasks\At20.job
C:\WINDOWS\Tasks\At21.job
C:\WINDOWS\Tasks\At22.job
C:\WINDOWS\Tasks\At23.job
C:\WINDOWS\Tasks\At24.job
C:\WINDOWS\Tasks\At25.job
C:\WINDOWS\Tasks\At26.job
C:\WINDOWS\Tasks\At27.job
C:\WINDOWS\Tasks\At28.job
C:\WINDOWS\Tasks\At29.job
C:\WINDOWS\Tasks\At3.job
C:\WINDOWS\Tasks\At30.job
C:\WINDOWS\Tasks\At31.job
C:\WINDOWS\Tasks\At32.job
C:\WINDOWS\Tasks\At33.job
C:\WINDOWS\Tasks\At34.job
C:\WINDOWS\Tasks\At35.job
C:\WINDOWS\Tasks\At36.job
C:\WINDOWS\Tasks\At37.job
C:\WINDOWS\Tasks\At38.job
C:\WINDOWS\Tasks\At39.job
C:\WINDOWS\Tasks\At4.job
C:\WINDOWS\Tasks\At40.job
C:\WINDOWS\Tasks\At41.job
C:\WINDOWS\Tasks\At42.job
C:\WINDOWS\Tasks\At43.job
C:\WINDOWS\Tasks\At44.job
C:\WINDOWS\Tasks\At45.job
C:\WINDOWS\Tasks\At46.job
C:\WINDOWS\Tasks\At47.job
C:\WINDOWS\Tasks\At48.job
C:\WINDOWS\Tasks\At49.job
C:\WINDOWS\Tasks\At5.job
C:\WINDOWS\Tasks\At50.job
C:\WINDOWS\Tasks\At51.job
C:\WINDOWS\Tasks\At52.job
C:\WINDOWS\Tasks\At53.job
C:\WINDOWS\Tasks\At54.job
C:\WINDOWS\Tasks\At55.job
C:\WINDOWS\Tasks\At56.job
C:\WINDOWS\Tasks\At57.job
C:\WINDOWS\Tasks\At58.job
C:\WINDOWS\Tasks\At59.job
C:\WINDOWS\Tasks\At6.job
C:\WINDOWS\Tasks\At60.job
C:\WINDOWS\Tasks\At61.job
C:\WINDOWS\Tasks\At62.job
C:\WINDOWS\Tasks\At63.job
C:\WINDOWS\Tasks\At64.job
C:\WINDOWS\Tasks\At65.job
C:\WINDOWS\Tasks\At66.job
C:\WINDOWS\Tasks\At67.job
C:\WINDOWS\Tasks\At68.job
C:\WINDOWS\Tasks\At69.job
C:\WINDOWS\Tasks\At7.job
C:\WINDOWS\Tasks\At70.job
C:\WINDOWS\Tasks\At71.job
C:\WINDOWS\Tasks\At72.job
C:\WINDOWS\Tasks\At8.job
C:\WINDOWS\Tasks\At9.job
.
((((((((((((((((((((((((( Files Created from 2008-09-16 to 2008-10-16 )))))))))))))))))))))))))))))))
.
2008-10-11 00:49 . 2008-10-11 22:59 <DIR> d-------- C:\Program Files\backups
2008-10-11 00:17 . 2008-10-11 00:17 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-09-27 18:03 . 2008-09-27 18:07 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-09-27 18:03 . 2008-09-10 00:04 38,528 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-09-27 18:03 . 2008-09-10 00:03 17,200 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-09-21 17:05 . 2008-09-21 17:04 30,272 --a------ C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-16 00:28 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-16 00:26 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-15 00:03 --------- d-----w C:\Program Files\Java
2008-10-12 04:00 9,903 ----a-w C:\Program Files\hijackthis.log
2008-10-12 03:37 9,866 ----a-w C:\Program Files\hijackthis10-11.txt
2008-10-11 02:09 --------- d-----w C:\Program Files\TurboTax
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-16 19:01 --------- d-----w C:\Documents and Settings\NetworkService\Application Data\Yahoo!
2006-05-07 16:14 4 ----a-w C:\Documents and Settings\Owner\lock.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\{2AE2AF11-423A-415A-BE59-1FADF125AEC5}.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\system32\{07BC977D-5803-4989-9F59-061605E6DFEA}.dat
.
------- Sigcheck -------
2002-08-29 07:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-10 22:37 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhilipsLime"="C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2005-09-08 159744]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [BU]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2004-12-31 469824]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-15 520192]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-16 100056]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"ProSiteFinder"="C:\Program Files\ProSiteFinder\prositefinder.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
.
Contents of the 'Scheduled Tasks' folder
2005-05-26 C:\WINDOWS\Tasks\easy Internet sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe [2003-03-12 02:34]
2008-08-30 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
2008-10-16 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-15 19:26:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe
C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
.
**************************************************************************
.
Completion time: 2008-10-15 19:46:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-16 00:46:28
ComboFix2.txt 2008-10-15 01:21:46
Pre-Run: 56,015,032,320 bytes free
Post-Run: 56,015,392,768 bytes free
273 --- E O F --- 2008-10-14 18:07:45

Report Offensive Follow Up For Removal

Response Number 7

Name: jabuck
Date: October 15, 2008 at 18:41:12 Pacific

Reply: (edit)

Go to start> search> all files and folder> advanced options> check the top three boxes under "all files and folders> then do a search for this:
UHgyi5N.exe
Let me know the exact path what you find.
(Example of exact path.)
C:\Windows\System32\UHgyi5N.exe what you find.

Report Offensive Follow Up For Removal

Response Number 8

Name: candygirl003
Date: October 16, 2008 at 16:26:21 Pacific

Reply: (edit)

I found two files:
OUHGYI5N.EXE-05A70C5C.pf at C:\WINDOWS\Prefetch
OUHgyin at C:\WINDOWS\system32

Report Offensive Follow Up For Removal

Response Number 9

Name: jabuck
Date: October 16, 2008 at 19:14:28 Pacific

Reply: (edit)

We need to know exactly how the paths look, I think you mean:

C:\WINDOWS\Prefetch\OUHGYI5N.EXE-05A70C5C.pf
and
C:\WINDOWS\system32\OUHgyin
Is this correct?

Report Offensive Follow Up For Removal

Response Number 10

Name: candygirl003
Date: October 16, 2008 at 19:41:09 Pacific

Reply: (edit)

Yes, that's right.

Report Offensive Follow Up For Removal

Response Number 11

Name: jabuck
Date: October 16, 2008 at 20:15:32 Pacific

Reply: (edit)

Please download the OTMoveIt2 by OldTimer and save it to your desktop.

1. Please double-click OTMoveIt2.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
2. Copy the everything between the X's (not the X's) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
C:\WINDOWS\Prefetch\OUHGYI5N.EXE-05A70C5C.pf
C:\WINDOWS\system32\OUHgyin
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
4. Return to OTMoveIt2, right click in the "Paste Custom List Of Files/Patterns To Move" window (under the yellow bar) and choose Paste.
5. Click the red Moveit! button.
6. Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
6. Close OTMoveIt2
Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:\_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.
Post a new Combofix log following the previous directions.

Report Offensive Follow Up For Removal

Response Number 12

Name: candygirl003
Date: October 18, 2008 at 17:12:45 Pacific

Reply: (edit)

File/Folder C:\WINDOWS\Prefetch\OUHGYI5N.EXE-05A70C5C.pf not found.
File/Folder C:\WINDOWS\system32\OUHgyin not found.

OTMoveIt2 by OldTimer - Version 1.0.4.3 log created on 10182008_190836

Report Offensive Follow Up For Removal

Response Number 13

Name: jabuck
Date: October 18, 2008 at 17:19:52 Pacific

Reply: (edit)

Please verify again that the files exist and the paths are correct.

Report Offensive Follow Up For Removal

Response Number 14

Name: candygirl003
Date: October 18, 2008 at 17:28:42 Pacific

Reply: (edit)

ComboFix 08-10-14.07 - Owner 2008-10-18 19:16:26.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.208 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
.
((((((((((((((((((((((((( Files Created from 2008-09-19 to 2008-10-19 )))))))))))))))))))))))))))))))
.
2008-10-18 19:08 . 2008-10-18 19:08 <DIR> d-------- C:\_OTMoveIt
2008-10-11 00:49 . 2008-10-11 22:59 <DIR> d-------- C:\Program Files\backups
2008-10-11 00:17 . 2008-10-11 00:17 401,720 --a------ C:\Program Files\HiJackThis.exe
2008-09-21 17:05 . 2008-09-21 17:04 30,272 --a------ C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-19 00:07 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-18 23:19 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-15 00:03 --------- d-----w C:\Program Files\Java
2008-10-12 04:00 9,903 ----a-w C:\Program Files\hijackthis.log
2008-10-12 03:37 9,866 ----a-w C:\Program Files\hijackthis10-11.txt
2008-10-11 03:37 502,272 ----a-w C:\WINDOWS\system32\winlogon.exe
2008-10-11 03:37 295,424 ----a-w C:\WINDOWS\system32\termsrv.dll
2008-10-11 02:09 --------- d-----w C:\Program Files\TurboTax
2008-09-15 11:57 1,846,016 ----a-w C:\WINDOWS\system32\win32k.sys
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-08-26 07:24 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-08-14 09:58 2,136,064 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2008-08-14 09:22 2,015,744 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2008-07-19 03:10 94,920 ----a-w C:\WINDOWS\system32\cdm.dll
2008-07-19 03:10 53,448 ----a-w C:\WINDOWS\system32\wuauclt.exe
2008-07-19 03:10 45,768 ----a-w C:\WINDOWS\system32\wups2.dll
2008-07-19 03:10 36,552 ----a-w C:\WINDOWS\system32\wups.dll
2008-07-19 03:09 563,912 ----a-w C:\WINDOWS\system32\wuapi.dll
2008-07-19 03:09 325,832 ----a-w C:\WINDOWS\system32\wucltui.dll
2008-07-19 03:09 205,000 ----a-w C:\WINDOWS\system32\wuweb.dll
2008-07-19 03:09 1,811,656 ----a-w C:\WINDOWS\system32\wuaueng.dll
2008-07-19 03:07 270,880 ----a-w C:\WINDOWS\system32\mucltui.dll
2008-07-19 03:07 210,976 ----a-w C:\WINDOWS\system32\muweb.dll
2006-05-07 16:14 4 ----a-w C:\Documents and Settings\Owner\lock.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\{2AE2AF11-423A-415A-BE59-1FADF125AEC5}.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\system32\{07BC977D-5803-4989-9F59-061605E6DFEA}.dat
.
------- Sigcheck -------
2002-08-29 07:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-10 22:37 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhilipsLime"="C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2005-09-08 159744]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [BU]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2004-12-31 469824]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-15 520192]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-16 100056]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"ProSiteFinder"="C:\Program Files\ProSiteFinder\prositefinder.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 552960]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-15 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
.
Contents of the 'Scheduled Tasks' folder
2005-05-26 C:\WINDOWS\Tasks\easy Internet sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe [2003-03-12 02:34]
2008-10-18 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
2008-10-19 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\7dn0gxot.default\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.yahoo.com
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-18 19:21:24
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
Completion time: 2008-10-18 19:25:20
ComboFix-quarantined-files.txt 2008-10-19 00:24:56
ComboFix2.txt 2008-10-16 00:46:36
ComboFix3.txt 2008-10-15 01:21:46
Pre-Run: 56,016,027,648 bytes free
Post-Run: 56,007,110,656 bytes free
122 --- E O F --- 2008-10-14 18:07:45

Report Offensive Follow Up For Removal

Response Number 15

Name: jabuck
Date: October 18, 2008 at 18:20:43 Pacific

Reply: (edit)

Please download “Avenger” by swandog46 to your desktop from this link http://swandog46.geekstogo.com/avenger.zip
1. Click on Avenger.zip to open the file
Extract avenger.exe to your desktop

2. Copy all the text contained in the area between the X"s below to your Clipboard by highlighting it and pressing (Ctrl+C):
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
CODEDrivers to delete:
OUHGYI5N
OUHGY

Files to delete:
C:\WINDOWS\system32\[u]0[/u]UHgyi5N.exe
C:\WINDOWS\Prefetch\OUHGYI5N.EXE-05A70C5C.pf
C:\WINDOWS\system32\OUHGYI5N.EXE
Folders to delete:
%systemroot%\system32\OUHGY

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.
Now, start The Avenger program by clicking on its icon on your desktop.
Click in the window labeled Input Scrupt Here and paste the text copied to the clipboard into it by pressing (Ctrl+V).
Click the Execute button
Answer "Yes" twice when prompted.
The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
Post a new Combofix log following the previous directions.

Report Offensive Follow Up For Removal

Response Number 16

Name: candygirl003
Date: October 26, 2008 at 16:04:22 Pacific

Reply: (edit)

I copied everything correctly and could not execute the code. The program said the script was invalid and the it needed to begin with a valid command directive.

Report Offensive Follow Up For Removal

Response Number 17

Name: jabuck
Date: October 26, 2008 at 16:58:34 Pacific

Reply: (edit)

Ok, let try it this way.
Open Notepad and copy/paste everything between the X"s into it and make sure the first word (such as KILLALL, Or File, etc.) is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
KILLALL::
File::
C:\WINDOWS\Prefetch\OUHGYI5N.EXE-05A70C5C.pf
C:\WINDOWS\system32\OUHGYI5N.EXE

Driver::
OUHGYI5N
OUHGY
Folder::
C:\WINDOWS\system32\OUHGY

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red symbol on your desktop) if combofix does not auto start click "run".
Post a new Combofix log following the previous directions.

Report Offensive Follow Up For Removal

Response Number 18

Name: candygirl003
Date: October 28, 2008 at 17:35:58 Pacific

Reply: (edit)

ComboFix 08-10-14.07 - Owner 2008-10-28 19:01:50.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.193 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\My Documents\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.
- REDUCED FUNCTIONALITY MODE -
FILE ::
C:\WINDOWS\Prefetch\OUHGYI5N.EXE-05A70C5C.pf
C:\WINDOWS\system32\OUHGYI5N.EXE
.
((((((((((((((((((((((((( Files Created from 2008-09-28 to 2008-10-29 )))))))))))))))))))))))))))))))
.
2008-10-24 23:22 . 2008-10-24 23:22 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\PlayFirst
2008-10-18 19:08 . 2008-10-18 19:08 <DIR> d-------- C:\_OTMoveIt
2008-10-11 00:49 . 2008-10-11 22:59 <DIR> d-------- C:\Program Files\backups
2008-10-11 00:17 . 2008-10-11 00:17 401,720 --a------ C:\Program Files\HiJackThis.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-10-29 00:05 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-10-28 23:30 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-10-25 04:45 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-10-15 00:03 --------- d-----w C:\Program Files\Java
2008-10-12 04:00 9,903 ----a-w C:\Program Files\hijackthis.log
2008-10-12 03:37 9,866 ----a-w C:\Program Files\hijackthis10-11.txt
2008-10-11 02:09 --------- d-----w C:\Program Files\TurboTax
2008-08-28 10:04 333,056 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2006-05-07 16:14 4 ----a-w C:\Documents and Settings\Owner\lock.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\{2AE2AF11-423A-415A-BE59-1FADF125AEC5}.dat
2007-12-05 19:04 32 --sha-w C:\WINDOWS\system32\{07BC977D-5803-4989-9F59-061605E6DFEA}.dat
.
------- Sigcheck -------
2002-08-29 07:00 516608 2246d8d8f4714a2cedb21ab9b1849abb C:\WINDOWS\$NtServicePackUninstall$\winlogon.exe
2004-08-04 02:56 502272 01c3346c241652f43aed8e2149881bfe C:\WINDOWS\ServicePackFiles\i386\winlogon.exe
2008-04-13 19:12 507904 ed0ef0a136dec83df69f04118870003e C:\WINDOWS\SoftwareDistribution\Download\dd9ab5193501484cf5e6884fa1d22f9e\winlogon.exe
2008-10-10 22:37 502272 9b1bd82bd0761b5ba986af66d2809c30 C:\WINDOWS\system32\winlogon.exe
.
((((((((((((((((((((((((((((( snapshot@2008-10-14_20.05.40.40 )))))))))))))))))))))))))))))))))))))))))
.
- 2006-08-17 12:28:27 332,288 -c----w C:\WINDOWS\system32\dllcache\netapi32.dll
+ 2008-10-15 16:57:55 332,800 -c----w C:\WINDOWS\system32\dllcache\netapi32.dll
- 2006-08-17 12:28:27 332,288 ----a-w C:\WINDOWS\system32\netapi32.dll
+ 2008-10-15 16:57:55 332,800 ----a-w C:\WINDOWS\system32\netapi32.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PhilipsLime"="C:\Program Files\Philips\Philips Lime Service\bin\LimeAlive.exe" [2005-09-08 159744]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 1694208]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2004-12-31 469824]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd.exe" [2002-12-17 49152]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe" [2003-03-11 172032]
"DeviceDiscovery"="C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe" [2002-12-02 40960]
"HotKeysCmds"="C:\WINDOWS\System32\hkcmd.exe" [2004-08-20 118784]
"PhilipsDM"="C:\Program Files\Philips\Philips Device Manager\Bin\DeviceManager.exe" [2005-09-15 520192]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 221184]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-16 100056]
"IgfxTray"="C:\WINDOWS\System32\igfxtray.exe" [2004-08-20 155648]
"ProSiteFinder"="C:\Program Files\ProSiteFinder\prositefinder.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [BU]
[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"FlashPlayerUpdate"="C:\WINDOWS\system32\Macromed\Flash\FlashUtil9b.exe" [2006-11-09 190072]
C:\Documents and Settings\Owner\Start Menu\Programs\Startup\
spamsubtract.lnk - C:\Program Files\interMute\SpamSubtract\SpamSubtract.exe [2003-04-10 552960]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-09-15 65588]
Microsoft Works Calendar Reminders.lnk - C:\Program Files\Common Files\Microsoft Shared\Works Shared\wkcalrem.exe [1999-09-05 53317]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I420"= i420vfw.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
S3 getPlus(R) Helper;getPlus(R) Helper;C:\Program Files\NOS\bin\getPlus_HelperSvc.exe [2008-06-26 31592]
.
Contents of the 'Scheduled Tasks' folder
2005-05-26 C:\WINDOWS\Tasks\easy Internet sign-up.job
- C:\Program Files\Easy Internet signup\HPSdpApp.exe [2003-03-12 02:34]
2008-10-25 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Owner.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
2008-10-28 C:\WINDOWS\Tasks\Symantec NetDetect.job
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE [2004-07-19 17:26]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-10-28 19:06:10
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
r Running Proce
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.EXE
C:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
C:\Program Files\Softex\OmniPass\omniServ.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Philips\Philips Lime Service\bin\Lime.exe
C:\Program Files\Common Files\Symantec Shared\NMain.exe
.
**************************************************************************
.
Completion time: 2008-10-28 19:25:04 - machine was rebooted
ComboFix-quarantined-files.txt 2008-10-29 00:24:45
ComboFix2.txt 2008-10-19 00:25:22
ComboFix3.txt 2008-10-16 00:46:36
ComboFix4.txt 2008-10-15 01:21:46
Pre-Run: 55,976,316,928 bytes free
Post-Run: 55,975,030,784 bytes free
132 --- E O F --- 2008-10-23 23:59:36

Report Offensive Follow Up For Removal

Response Number 19

Name: candygirl003
Date: November 1, 2008 at 21:10:14 Pacific

Reply: (edit)

I found a program called Mirar in my add or remove programs list. Should i manually delete it?

Report Offensive Follow Up For Removal

Desktop & Taskbar disappe...

Virus on Internet Browser

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Specialty Forums
Security and Virus
General Hardware
CPUs/Overclocking
Networking
Digital Photo/Video
Office Software
PC Gaming
Console Gaming
Programming
Database
Web Development
Digital Home

The Lounge

Drivers
Driver Scan
Driver Forum

Software