Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log...


  • This topic is locked This topic is locked
32 replies to this topic

#1 soccerdudemulder

soccerdudemulder

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 19 July 2006 - 11:02 PM

I've done a scan with spyware nuker prior to this.
I seem to be getting these popups when I'm connected to the internet. I was wondering if someone could help me fix this problem.

Any help is appreciated.....Mike




Logfile of HijackThis v1.99.1
Scan saved at 10:58:32 PM, on 7/19/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\TWljaGFlbCBNdWxkZXI\command.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Documents and Settings\Michael Mulder\Desktop\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\uetrm.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,gyavwmv.exe
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153075245793
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{42511F91-9CAF-4466-B02A-B8E2B4CC15EC}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: App Management - C:\WINDOWS\system32\g4400ehmeh4a0.dll
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: Uninstall - C:\WINDOWS\system32\FTNTEXT.DLL (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\TWljaGFlbCBNdWxkZXI\command.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:57 PM

Posted 20 July 2006 - 06:44 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:


Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 20 July 2006 - 07:38 PM

Here is my combofix log.

Start Time= Thu 07/20/2006 19:26:10.85
Running from: C:\Documents and Settings\Michael Mulder\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\IntelWireless
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WgaLogon\Settings
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{324F4670-4297-4107-80CE-0EBFBBFC193C}]
@=""

[HKEY_CLASSES_ROOT\clsid\{324F4670-4297-4107-80CE-0EBFBBFC193C}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{324F4670-4297-4107-80CE-0EBFBBFC193C}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{324F4670-4297-4107-80CE-0EBFBBFC193C}\InprocServer32]
@="C:\\WINDOWS\\system32\\GXDEF.DLL"
"ThreadingModel"="Apartment"

Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

19:28:20.23

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst



No infected Qoologic files found. Reg entries were fixed


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Michael Mulder\Local Settings\Temp\Temporary Internet Files\Content.IE5\UDKXGBUV\dfndrad_5[1].exe
C:\Documents and Settings\Michael Mulder\Local Settings\Temporary Internet Files\Content.IE5\1WRURZPZ\dfndrad_5[1].exe
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\MTE3NDI6ODoxNg.exe
C:\WINDOWS\SYSTEM32\atmtd.dll.tmp
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\WINDOWS\TWljaGFlbCBNdWxkZXI


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-19 23:11 635 C:\WINDOWS\win.ini
2006-07-19 23:11 227 C:\WINDOWS\system.ini
2006-07-19 22:36 233,961 C:\WINDOWS\system32\lv2o09f3e.dll
2006-07-18 23:12 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-18 22:14 236,073 C:\WINDOWS\system32\lv8609lse.dll
2006-07-17 22:06 233,961 C:\WINDOWS\system32\matlsapi.dll
2006-07-17 21:48 236,073 C:\WINDOWS\system32\whvdmod.dll
2006-07-17 14:19 359,822 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-17 14:10 <DIR> C:\Program Files\symantec
2006-07-17 14:10 <DIR> C:\Program Files\norton internet security
2006-07-17 14:07 4,608 C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-07-17 13:28 234,272 C:\WINDOWS\system32\gju32.dll
2006-07-17 13:15 234,306 C:\WINDOWS\system32\hbsetup.dll
2006-07-17 13:12 <DIR> C:\Program Files\Common Files\{8c749232-0703-1033-1008-040410220001}
2006-07-17 12:48 <DIR> C:\Program Files\online services
2006-07-17 12:47 <DIR> C:\Program Files\msupdate
2006-07-17 12:20 <DIR> C:\Program Files\windows nt
2006-07-17 11:58 <DIR> C:\Program Files\windows installer clean up
2006-07-17 11:50 67,645 C:\WINDOWS\system32\drivers\pshook11.sys
2006-07-17 11:23 234,272 C:\WINDOWS\system32\feeploy.dll
2006-07-17 00:10 69,632 C:\WINDOWS\system32\kkhjcacg.dll
2006-07-17 00:10 69,632 C:\WINDOWS\system32\fpjmbmlc.dll
2006-07-17 00:10 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-17 00:08 925 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-17 00:08 0 C:\Documents and Settings\Michael Mulder\Application Data\internaldb41.dat
2006-07-17 00:07 45,076 C:\WINDOWS\system32\okdsregr.exe
2006-07-17 00:07 45,068 C:\WINDOWS\system32\zicorn003.exe
2006-07-17 00:07 235,134 C:\WINDOWS\srvsxjoczy.exe
2006-07-17 00:07 184,829 C:\WINDOWS\srvzsxzfbj.exe
2006-07-17 00:07 159,876 C:\WINDOWS\system32\qwinlpez.exe
2006-07-17 00:04 208,896 C:\WINDOWS\system32\x3cqp0.dll
2006-07-17 00:02 <DIR> C:\Program Files\common files
2006-07-16 14:23 5,680 C:\WINDOWS\system32\drivers\psntkd20.sys
2006-07-16 14:02 <DIR> C:\Program Files\Common Files\microsoft shared
2006-07-16 12:55 <DIR> C:\Program Files\Common Files\izqr
2006-07-16 12:55 <DIR> C:\Program Files\Common Files\{8c749232-0702-1033-1008-040410220001}
2006-07-16 11:56 <DIR> C:\Program Files\spyware nuker
2006-07-16 11:45 1,063 C:\WINDOWS\system32\xiwc60dc.sys
2006-07-16 11:40 38,412 C:\WINDOWS\ssqbn.exe
2006-07-16 11:40 <DIR> C:\Program Files\msn gaming zone
2006-07-16 11:39 235,134 C:\WINDOWS\srvakinpqh.exe
2006-07-16 11:39 184,829 C:\WINDOWS\srvducsirz.exe
2006-07-16 11:38 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-16 11:38 <DIR> C:\Program Files\divx
2006-07-16 11:16 <DIR> C:\Program Files\limewire
2006-07-15 13:02 <DIR> C:\Program Files\counterstrike
2006-07-11 22:41 <DIR> C:\Program Files\intervideo
2006-07-11 22:41 <DIR> C:\Program Files\Common Files\intervideo
2006-07-11 22:40 <DIR> C:\Program Files\installshield installation information
2006-06-30 00:53 3,712 C:\WINDOWS\system32\drivers\lbeepke.sys
2006-06-30 00:13 53,248 C:\WINDOWS\system32\kemxml.dll
2006-06-30 00:13 155,648 C:\WINDOWS\system32\kemutb.dll
2006-06-30 00:13 110,592 C:\WINDOWS\system32\kemwnd.dll
2006-06-30 00:12 126,976 C:\WINDOWS\system32\kemutil.dll
2006-06-29 09:07 61,440 C:\WINDOWS\system32\battyrun.dll
2006-06-23 10:22 9,216 C:\WINDOWS\gvcvsomt.dll
2006-06-22 13:24 <DIR> C:\Program Files\ipod
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-16 10:29 <DIR> C:\Program Files\partygaming.net
2006-06-15 22:36 <DIR> C:\Program Files\internet explorer
2006-06-15 16:55 778,240 C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 16:55 778,240 C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 16:55 761,856 C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 16:55 620,180 C:\WINDOWS\system32\divx.dll
2006-06-14 12:49 118,784 C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-06-12 14:22 520,192 C:\WINDOWS\system32\divxsm.exe
2006-06-11 14:10 <DIR> C:\Program Files\Common Files\logitech
2006-05-29 22:43 <DIR> C:\Documents and Settings\Michael Mulder\Application Data\apple computer
2006-05-24 17:47 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-05-24 17:46 90,112 C:\WINDOWS\system32\dpl100.dll
2006-05-24 17:46 593,920 C:\WINDOWS\system32\dpugui11.dll
2006-05-24 17:46 57,344 C:\WINDOWS\system32\dpv11.dll
2006-05-24 17:46 53,248 C:\WINDOWS\system32\dpugui10.dll
2006-05-24 17:46 344,064 C:\WINDOWS\system32\dpus11.dll
2006-05-24 17:46 294,912 C:\WINDOWS\system32\dpu11.dll
2006-05-24 17:46 294,912 C:\WINDOWS\system32\dpu10.dll
2006-05-24 17:46 200,704 C:\WINDOWS\system32\dtu100.dll
2006-05-24 17:43 245,408 C:\WINDOWS\system32\unicows.dll
2006-05-24 17:43 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-05-24 17:43 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-05-19 07:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 07:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 07:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll
2006-05-10 09:48 94,208 C:\WINDOWS\khalmnpr.exe


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-20 15:54 233,961 C:\WINDOWS\system32\lv2o09f3e.dll
2006-07-19 22:30 236,073 C:\WINDOWS\system32\lv8609lse.dll
2006-07-17 22:06 233,961 C:\WINDOWS\system32\MATLSAPI.DLL
2006-07-17 21:48 236,073 C:\WINDOWS\system32\whvdmod.dll
2006-07-17 13:28 234,272 C:\WINDOWS\system32\GJU32.DLL
2006-07-17 13:15 234,306 C:\WINDOWS\system32\hbsetup.dll
2006-07-17 11:50 127,208 C:\WINDOWS\system32\mucltui.dll
2006-07-17 11:23 234,272 C:\WINDOWS\system32\FEEPLOY.DLL
2006-07-17 00:10 69,632 C:\WINDOWS\system32\kkhjcacg.dll
2006-07-17 00:10 69,632 C:\WINDOWS\system32\fpjmbmlc.dll
2006-07-17 00:08 925 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-17 00:07 45,076 C:\WINDOWS\system32\okdsregr.exe
2006-07-17 00:07 45,068 C:\WINDOWS\system32\ZICORN003.exe
2006-07-17 00:07 235,134 C:\WINDOWS\srvsxjoczy.exe
2006-07-17 00:07 184,829 C:\WINDOWS\srvzsxzfbj.exe
2006-07-17 00:07 159,876 C:\WINDOWS\system32\qwinlpez.exe
2006-07-17 00:07 1,063 C:\WINDOWS\system32\aaa00000.sys
2006-07-17 00:04 208,896 C:\WINDOWS\system32\x3cqp0.dll
2006-07-16 11:47 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-16 11:39 38,412 C:\WINDOWS\ssqbn.exe
2006-07-16 11:39 235,134 C:\WINDOWS\srvakinpqh.exe
2006-07-16 11:39 184,829 C:\WINDOWS\srvducsirz.exe
2006-07-16 11:39 1,063 C:\WINDOWS\system32\xiwc60dc.sys
2006-07-16 11:38 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-11 22:41 204,800 C:\WINDOWS\system32\IVIresizeW7.dll
2006-07-11 22:41 200,704 C:\WINDOWS\system32\IVIresizeA6.dll
2006-07-11 22:41 20,480 C:\WINDOWS\system32\IVIresize.dll
2006-07-11 22:41 192,512 C:\WINDOWS\system32\IVIresizeP6.dll
2006-07-11 22:41 192,512 C:\WINDOWS\system32\IVIresizeM6.dll
2006-07-11 22:41 188,416 C:\WINDOWS\system32\IVIresizePX.dll
2006-07-11 22:38 363,520 C:\WINDOWS\system32\PsisDecd.dll
2006-07-11 22:38 3,072 C:\WINDOWS\system32\34CoInstaller.dll
2006-07-06 18:41 7,882 C:\WINDOWS\system32\GTKCMOS.sys
2006-07-06 18:41 7,626 C:\WINDOWS\system32\GPCIEnum.sys
2006-07-06 18:41 7,168 C:\WINDOWS\system32\DLPT64.sys
2006-07-06 18:41 6,656 C:\WINDOWS\system32\DLPT2.sys
2006-07-06 18:41 5,632 C:\WINDOWS\system32\GPCIEn64.sys
2006-07-06 18:41 5,120 C:\WINDOWS\system32\GTKCMO64.sys
2006-07-06 18:41 4,608 C:\WINDOWS\system32\DDMI64.sys
2006-06-29 09:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-23 10:22 9,216 C:\WINDOWS\gvcvsomt.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="C:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{8C749232-0702-1033-1008-040410220001}"="\"C:\\Program Files\\Common Files\\{8C749232-0702-1033-1008-040410220001}\\Update.exe\" mc-110-12-0000140"
"{8C749232-0703-1033-1008-040410220001}"="\"C:\\Program Files\\Common Files\\{8C749232-0703-1033-1008-040410220001}\\Update.exe\" mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"="1"
"NoAdminPage"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzezer.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows NT\\howywypen.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ACS.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\ACS.lnk"
"backup"="C:\\WINDOWS\\pss\\ACS.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\ACS.BAT "
"item"="ACS"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link AirPlus Xtreme G Configuration Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link AirPlus Xtreme G Configuration Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link AirPlus Xtreme G Configuration Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\D-Link AirPlus Xtreme G\\AirPlus.exe "
"item"="D-Link AirPlus Xtreme G Configuration Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^D-Link REG Utility.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\D-Link REG Utility.lnk"
"backup"="C:\\WINDOWS\\pss\\D-Link REG Utility.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\D-Link AirPlus Xtreme G\\Reg.exe "
"item"="D-Link REG Utility"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Line Detect.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Line Detect.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\DLG.exe "
"item"="Digital Line Detect"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^wcoos.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\wcoos.exe"
"backup"="C:\\WINDOWS\\pss\\wcoos.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\wcoos.exe"
"item"="wcoos"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael Mulder^Start Menu^Programs^Startup^csrss.lnk]
"path"="C:\\Documents and Settings\\Michael Mulder\\Start Menu\\Programs\\Startup\\csrss.lnk"
"backup"="C:\\WINDOWS\\pss\\csrss.lnkStartup"
"location"="Startup"
"command"=" "
"item"="csrss"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael Mulder^Start Menu^Programs^Startup^Zeno.lnk]
"path"="C:\\Documents and Settings\\Michael Mulder\\Start Menu\\Programs\\Startup\\Zeno.lnk"
"backup"="C:\\WINDOWS\\pss\\Zeno.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\qwinlpez.exe CORN003"
"item"="Zeno"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michael Mulder^Start Menu^Programs^Startup^Z_Start.lnk]
"path"="C:\\Documents and Settings\\Michael Mulder\\Start Menu\\Programs\\Startup\\Z_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\Z_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\SYSTEM32\\dwdsregt.exe CORN003"
"item"="Z_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aingn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="etcnmg"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\etcnmg.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rundll32"
"hkey"="HKLM"
"command"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qwinlpez"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\qwinlpez.exe CORN003"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cBkbCDbA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cBkbCDbA"
"hkey"="HKLM"
"command"="c:\\documents and settings\\michael mulder\\local settings\\temp\\cBkbCDbA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrad_5"
"hkey"="HKLM"
"command"="C:\\\\dfndrad_5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DSAgnt"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tfswctrl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DMXLauncher"
"hkey"="HKLM"
"command"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DVDLauncher"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\elgfme]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="etcnmg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\etcnmg.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hhl7RfpJ]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ssn6tuu"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\system32\\ssn6tuu.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\izqr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="izqrm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\izqr\\izqrm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdad_5"
"hkey"="HKLM"
"command"="C:\\\\kybrdad_5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="csrss"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\cgwfosol\\csrss.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Logi_MwX"
"hkey"="HKLM"
"command"="Logi_MwX.Exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="McAgent"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcupdate"
"hkey"="HKLM"
"command"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\meetlouddalebags]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="BIASCORN"
"hkey"="HKLM"
"command"="C:\\Documents and Settings\\All Users\\Application Data\\ChinKnobMeetLoud\\BIASCORN.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsgPlus"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\MSN Messenger\\MsgPlus.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms-update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="scvhost"
"hkey"="HKLM"
"command"="scvhost.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsUpdate]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MsUpdate"
"hkey"="HKLM"
"command"="C:\\Program Files\\MsUpdate\\MsUpdate.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmad_5"
"hkey"="HKLM"
"command"="C:\\\\nwnmad_5.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nufkhqbA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nufkhqbA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\nufkhqbA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oasclnt"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\oXdsya]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qngka"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\qngka.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSHope]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSHope"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSHope\\PSHope.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="csrss"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\cgwfosol\\csrss.exe"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Nuker]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swn2"
"hkey"="HKLM"
"command"="C:\\Program Files\\Spyware Nuker 2004\\swn2.exe /h"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UsrPrmpt"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SNDMon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SYSC00"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SYSC00.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\This Rule]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FordWarnSave"
"hkey"="HKCU"
"command"="C:\\DOCUME~1\\MICHAE~1\\APPLIC~1\\OPTION~1\\FordWarnSave.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tsl2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="tsl2"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\tsa\\tsl2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -u"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -u"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcvsshld"
"hkey"="HKLM"
"command"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mcmnhdlr"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w027bded.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w027bded.dll,I2 001c60db0027bded"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\w21878ee.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w21878ee.dll,I2 001c60db021878ee"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Services Hosts]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svhosts"
"hkey"="HKLM"
"command"="svhosts.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinDVR SchSvr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SchSvr"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\InterVideo\\SchSvr\\SchSvr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinScMngr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winsmc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\winsmc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xiwc60dc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w0270f4c.dll,n 001c60db000000030270f4c"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{49-92-23-32-ZN}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="okdsregr"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\okdsregr.exe CORN003"
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Thu 07/20/2006 19:29:38.79
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:57 PM

Posted 21 July 2006 - 03:07 PM

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a check next to Run this program as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt and a new HiJackThis log.
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive.com/support/new/images/lib/MSWINSCK.OCX


=============


Download AlcanShorty
  • Click the download button below and agree to download the fix.
  • Download Alcanshorty to your desktop.
  • DoubleClick alcanshorty_en.exe and click install
  • This will create a new folder on your desktop called alcanshorty_en
  • Open that folder and doubleclick Run.bat
  • Once the fix starts, your icons and desktop will disappear, this is normal.
Make sure you have a working internet connection. In case your firewall gives an alert, don't block it,
because alcanshorty needs to download some additional files to let the tool run properly.
  • Wait for the complete script execution box to popup and press OK.
  • Press exit to terminate the BFU program.
=============


Now I need to see a different type of log from Hijackthis
  • Run Hijackthis.
  • Click on "Open the Misc Tools section".
  • Next click on "Open uninstall manager".
  • Press the button 'save list'. It will open a Notepad file.
  • Place the content of that file here in your in your next reply.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 28 July 2006 - 12:36 AM

Logfile of HijackThis v1.99.1
Scan saved at 12:34:13 AM, on 7/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Mulder\Desktop\HijackThis[1].exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153075245793
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{42511F91-9CAF-4466-B02A-B8E2B4CC15EC}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe


















Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 2006-07-28 0:25:02

Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0021211.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021289.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021316.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021317.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0021426.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0021460.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021631.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021652.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021661.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021779.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021873.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021942.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021961.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021972.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021994.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022008.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022015.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022018.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022030.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022042.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022043.dll
Infected! C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022054.dll
Infected! C:\WINDOWS\SYSTEM32\hbsetup.dll
Infected! C:\WINDOWS\SYSTEM32\lv2o09f3e.dll
Infected! C:\WINDOWS\SYSTEM32\lv8609lse.dll
Infected! C:\WINDOWS\SYSTEM32\whvdmod.dll
Infected! C:\WINDOWS\system32\guard.tmp

Attempting to delete infected files...

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0021211.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP116\A0021211.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021289.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021289.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021316.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021316.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021317.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP117\A0021317.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0021426.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0021426.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0021460.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP119\A0021460.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021631.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021631.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021652.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021652.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021661.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP120\A0021661.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021779.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021779.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021873.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021873.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021942.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021942.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021961.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021961.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021972.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021972.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021994.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0021994.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022008.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022008.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022015.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022015.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022018.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022018.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022030.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022030.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022042.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022042.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022043.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022043.dll Deleted successfully!

Attempting to delete: C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022054.dll
C:\System Volume Information\_restore{46DE8921-1D39-44D2-A9E9-64119261F211}\RP123\A0022054.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\hbsetup.dll
C:\WINDOWS\SYSTEM32\hbsetup.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lv2o09f3e.dll
C:\WINDOWS\SYSTEM32\lv2o09f3e.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\lv8609lse.dll
C:\WINDOWS\SYSTEM32\lv8609lse.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\whvdmod.dll
C:\WINDOWS\SYSTEM32\whvdmod.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\guard.tmp Deleted successfully!

Making registry repairs.


Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#6 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 28 July 2006 - 12:43 AM

Here is the list.


AC3Filter (remove only)
Adobe Acrobat and Reader 6.0.3 Update
Adobe Reader 6.0.1
ALPS Touch Pad Driver
ATI - Software Uninstall Utility
ATI Control Panel
ATI Display Driver
BlueJ 2.1.2
Broadcom Management Programs
CC_ccProxyExt
ccCommon
ccPxyCore
Conexant D110 MDC V.9x Modem
Dell Driver Reset Tool
Dell Home Systems Services Agreement
Dell Support 5.0.0 (766)
Digital Line Detect
DivX
DivX Converter
DivX Player
Half-Life® 2
HijackThis 1.99.1
Intel® PROSet/Wireless Software
Internet Explorer Default Page
InterVideo WinDVR 3
iPod for Windows 2006-03-23
iTunes
J2SE Development Kit 5.0 Update 6
J2SE Runtime Environment 5.0 Update 6
Java 2 Runtime Environment, SE v1.4.2_03
LimeWire
LimeWire 4.12.3
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Logitech SetPoint
Macromedia Flash Player 8
Magic DVD Ripper V3.6
mCore
mDrWiFi
mHlpDell
Microsoft Office Basic Edition 2003
Microsoft Office Professional Edition 2003
mIWA
mIWCA
mLogView
mMHouse
Modem Helper
mPfMgr
mPfWiz
mProSafe
MSN Messenger 7.5
MSRedist
mSSO
mToolkit
mWlsSafe
mXML
mZConfig
NetWaiting
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton WMI Update
Norton WMI Update
PartyPokerNet
Photo Click
PowerDVD 5.1
QuickSet
QuickTime
RealPlayer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Sonic DLA
Sonic MyDVD
Sonic RecordNow!
Sonic Update Manager
SPBBC
SpeechRedist
Spyware Nuker XT
Steam™
Symantec Script Blocking Installer
SymNet
Unreal Tournament 2004
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Media Format Runtime
Windows Media Player 10
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:57 PM

Posted 28 July 2006 - 05:52 PM

Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm



==============



Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.
=============


Run msconfig and enable all startup items.
Don't reboot yet!


=============


Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
  • Once the setup is complete you will need run ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-Select "Only if threats were found"
Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.
  • Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
    IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
  • Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close ewido and reboot your system back into Normal Mode and post the results of the ewido scan report along with a new hijackthis log.
Also post a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 30 July 2006 - 01:29 AM

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 1:22:25 AM 7/30/2006

+ Scan result:



C:\WINDOWS\SYSTEM32\fpjmbmlc.dll -> Adware.Agent : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\kkhjcacg.dll -> Adware.Agent : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-3329334534-3705701884-2821479724-1006\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag.1 -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CLSID -> Adware.ISTBar : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\TestContentMatchControl1.ContentMatchTag\CurVer -> Adware.ISTBar : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\FEEPLOY.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\GJU32.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\MATLSAPI.DLL -> Adware.Look2Me : Cleaned with backup (quarantined).
C:\Program Files\Common Files\Real\WeatherBug\MiniBugTransporter.dll -> Adware.Minibug : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\x3cqp0.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup (quarantined).
C:\WINDOWS\gvcvsomt.dll -> Downloader.Small.ajc : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael Mulder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-727edbcd.zip/NewSecurityClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\Documents and Settings\Michael Mulder\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\java.jar-8fba449-727edbcd.zip/NewURLClassLoader.class -> Not-A-Virus.Exploit.ByteVerify : Cleaned with backup (quarantined).
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : Cleaned with backup (quarantined).


::Report end

#9 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 30 July 2006 - 01:42 AM

Start Time= Sun 07/30/2006 1:29:54.85
Running from: C:\Documents and Settings\Michael Mulder\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

1:31:11.43

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-19 16:19 304944 C:\WINDOWS\system32\WgaTray.exe
2006-06-12 14:22 520192 C:\WINDOWS\system32\DivXsm.exe
2006-05-29 10:30 1494016 C:\WINDOWS\system32\shdocvw.dll
2006-05-24 17:43 1044480 C:\WINDOWS\system32\libdivx.dll
2006-05-10 00:23 658432 C:\WINDOWS\system32\wininet.dll
2006-05-10 00:23 474112 C:\WINDOWS\system32\shlwapi.dll
2006-05-18 00:24 450560 C:\WINDOWS\system32\jscript.dll
2006-05-10 00:22 357888 C:\WINDOWS\system32\dxtmsft.dll
2006-05-10 00:22 251392 C:\WINDOWS\system32\iepeers.dll
2006-05-24 17:43 245408 C:\WINDOWS\system32\unicows.dll
2006-05-10 00:22 205312 C:\WINDOWS\system32\dxtrans.dll
2006-05-24 17:43 200704 C:\WINDOWS\system32\ssldivx.dll
2006-05-14 03:44 181248 C:\WINDOWS\system32\rasmans.dll
2006-06-01 13:47 163840 C:\WINDOWS\system32\jgdw400.dll
2006-05-10 00:22 151040 C:\WINDOWS\system32\cdfview.dll
2006-05-10 00:23 39424 C:\WINDOWS\system32\pngfilt.dll
2006-06-01 13:47 27648 C:\WINDOWS\system32\jgpl400.dll
2006-05-10 00:22 16384 C:\WINDOWS\system32\jsproxy.dll
2006-07-16 11:38 8464 C:\WINDOWS\system32\sporder.dll
2006-05-19 10:08 3052544 C:\WINDOWS\system32\mshtml.dll
2006-05-10 00:23 613888 C:\WINDOWS\system32\urlmon.dll
2006-05-10 00:23 532480 C:\WINDOWS\system32\mstime.dll
2006-05-24 17:46 344064 C:\WINDOWS\system32\dpus11.dll
2006-05-24 17:46 200704 C:\WINDOWS\system32\dtu100.dll
2006-05-19 07:59 148480 C:\WINDOWS\system32\dnsapi.dll
2006-05-10 00:22 96256 C:\WINDOWS\system32\inseng.dll
2006-05-24 17:46 90112 C:\WINDOWS\system32\dpl100.dll
2006-05-10 00:22 55808 C:\WINDOWS\system32\extmgr.dll
2006-05-10 00:22 1054208 C:\WINDOWS\system32\danim.dll
2006-05-24 17:46 294912 C:\WINDOWS\system32\dpu10.dll
2006-05-24 17:46 294912 C:\WINDOWS\system32\dpu11.dll
2006-05-24 17:46 57344 C:\WINDOWS\system32\dpv11.dll


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *



DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\DivXsm.exe
C:\WINDOWS\system32\shdocvw.dll
C:\WINDOWS\system32\libdivx.dll
C:\WINDOWS\system32\wininet.dll
C:\WINDOWS\system32\shlwapi.dll
C:\WINDOWS\system32\jscript.dll
C:\WINDOWS\system32\dxtmsft.dll
C:\WINDOWS\system32\iepeers.dll
C:\WINDOWS\system32\unicows.dll
C:\WINDOWS\system32\dxtrans.dll
C:\WINDOWS\system32\ssldivx.dll
C:\WINDOWS\system32\rasmans.dll
C:\WINDOWS\system32\jgdw400.dll
C:\WINDOWS\system32\cdfview.dll
C:\WINDOWS\system32\pngfilt.dll
C:\WINDOWS\system32\jgpl400.dll
C:\WINDOWS\system32\jsproxy.dll
C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\system32\mshtml.dll
C:\WINDOWS\system32\urlmon.dll
C:\WINDOWS\system32\mstime.dll
C:\WINDOWS\system32\dpus11.dll
C:\WINDOWS\system32\dtu100.dll
C:\WINDOWS\system32\dnsapi.dll
C:\WINDOWS\system32\inseng.dll
C:\WINDOWS\system32\dpl100.dll
C:\WINDOWS\system32\extmgr.dll
C:\WINDOWS\system32\danim.dll
C:\WINDOWS\system32\dpu10.dll
C:\WINDOWS\system32\dpu11.dll
C:\WINDOWS\system32\dpv11.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-30 01:24 <DIR> C:\Program Files\Common Files\symantec shared
2006-07-30 01:24 <DIR> C:\Program Files\common files
2006-07-30 01:00 <DIR> C:\Program Files\ewido anti-spyware 4.0
2006-07-30 00:46 635 C:\WINDOWS\win.ini
2006-07-30 00:46 227 C:\WINDOWS\system.ini
2006-07-29 00:11 641,021 C:\WINDOWS\unins000.exe
2006-07-29 00:11 <DIR> C:\Program Files\xvid
2006-07-28 10:56 <DIR> C:\Program Files\partygaming.net
2006-07-20 20:30 <DIR> C:\Program Files\counterstrike
2006-07-20 20:13 <DIR> C:\Documents and Settings\Michael Mulder\Application Data\logitech
2006-07-20 20:10 <DIR> C:\Program Files\logitech
2006-07-20 20:10 <DIR> C:\Program Files\Common Files\logitech
2006-07-20 20:05 359,822 C:\WINDOWS\system32\perfstringbackup.ini
2006-07-20 19:53 <DIR> C:\Program Files\Common Files\microsoft shared
2006-07-20 19:49 <DIR> C:\Program Files\Common Files\sonic shared
2006-07-20 19:48 <DIR> C:\Program Files\microsoft plus! digital media edition
2006-07-20 19:46 <DIR> C:\Program Files\installshield installation information
2006-07-17 14:10 <DIR> C:\Program Files\symantec
2006-07-17 14:10 <DIR> C:\Program Files\norton internet security
2006-07-17 14:07 4,608 C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-07-17 13:12 <DIR> C:\Program Files\Common Files\{8c749232-0703-1033-1008-040410220001}
2006-07-17 12:48 <DIR> C:\Program Files\online services
2006-07-17 12:20 <DIR> C:\Program Files\windows nt
2006-07-17 11:58 <DIR> C:\Program Files\windows installer clean up
2006-07-17 11:50 67,645 C:\WINDOWS\system32\drivers\pshook11.sys
2006-07-17 00:10 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-17 00:08 925 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-17 00:08 0 C:\Documents and Settings\Michael Mulder\Application Data\internaldb41.dat
2006-07-17 00:07 235,134 C:\WINDOWS\srvsxjoczy.exe
2006-07-17 00:07 184,829 C:\WINDOWS\srvzsxzfbj.exe
2006-07-16 14:23 5,680 C:\WINDOWS\system32\drivers\psntkd20.sys
2006-07-16 12:55 <DIR> C:\Program Files\Common Files\izqr
2006-07-16 12:55 <DIR> C:\Program Files\Common Files\{8c749232-0702-1033-1008-040410220001}
2006-07-16 11:56 <DIR> C:\Program Files\spyware nuker
2006-07-16 11:45 1,063 C:\WINDOWS\system32\xiwc60dc.sys
2006-07-16 11:40 38,412 C:\WINDOWS\ssqbn.exe
2006-07-16 11:40 <DIR> C:\Program Files\msn gaming zone
2006-07-16 11:39 235,134 C:\WINDOWS\srvakinpqh.exe
2006-07-16 11:39 184,829 C:\WINDOWS\srvducsirz.exe
2006-07-16 11:38 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-16 11:38 <DIR> C:\Program Files\divx
2006-07-16 11:16 <DIR> C:\Program Files\limewire
2006-07-11 22:41 <DIR> C:\Program Files\intervideo
2006-07-11 22:41 <DIR> C:\Program Files\Common Files\intervideo
2006-06-29 09:07 61,440 C:\WINDOWS\system32\battyrun.dll
2006-06-22 13:24 <DIR> C:\Program Files\ipod
2006-06-19 16:20 702,768 C:\WINDOWS\system32\wgalogon.dll
2006-06-15 22:36 <DIR> C:\Program Files\internet explorer
2006-06-15 16:55 778,240 C:\WINDOWS\system32\divx_xx0c.dll
2006-06-15 16:55 778,240 C:\WINDOWS\system32\divx_xx07.dll
2006-06-15 16:55 761,856 C:\WINDOWS\system32\divx_xx11.dll
2006-06-15 16:55 620,180 C:\WINDOWS\system32\divx.dll
2006-06-14 12:49 118,784 C:\WINDOWS\system32\divxcodecupdatechecker.exe
2006-06-12 14:22 520,192 C:\WINDOWS\system32\divxsm.exe
2006-05-24 17:47 3,596,288 C:\WINDOWS\system32\qt-dx331.dll
2006-05-24 17:46 90,112 C:\WINDOWS\system32\dpl100.dll
2006-05-24 17:46 593,920 C:\WINDOWS\system32\dpugui11.dll
2006-05-24 17:46 57,344 C:\WINDOWS\system32\dpv11.dll
2006-05-24 17:46 53,248 C:\WINDOWS\system32\dpugui10.dll
2006-05-24 17:46 344,064 C:\WINDOWS\system32\dpus11.dll
2006-05-24 17:46 294,912 C:\WINDOWS\system32\dpu11.dll
2006-05-24 17:46 294,912 C:\WINDOWS\system32\dpu10.dll
2006-05-24 17:46 200,704 C:\WINDOWS\system32\dtu100.dll
2006-05-24 17:43 245,408 C:\WINDOWS\system32\unicows.dll
2006-05-24 17:43 200,704 C:\WINDOWS\system32\ssldivx.dll
2006-05-24 17:43 1,044,480 C:\WINDOWS\system32\libdivx.dll
2006-05-19 07:59 94,720 C:\WINDOWS\system32\iphlpapi.dll
2006-05-19 07:59 148,480 C:\WINDOWS\system32\dnsapi.dll
2006-05-19 07:59 111,616 C:\WINDOWS\system32\dhcpcsvc.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-30 01:23 536,129,536 C:\hiberfil.sys
2006-07-29 00:11 641,021 C:\WINDOWS\unins000.exe
2006-07-29 00:11 45,056 C:\WINDOWS\system32\WNASPI32.DLL
2006-07-29 00:11 187,904 C:\WINDOWS\system32\Lame.exe
2006-07-29 00:11 166,912 C:\WINDOWS\system32\Lame_enc.dll
2006-07-20 20:10 29,696 C:\WINDOWS\KHALMNPR.Exe
2006-07-17 11:50 127,208 C:\WINDOWS\system32\mucltui.dll
2006-07-17 00:08 925 C:\WINDOWS\system32\nt68rrtc12.sys
2006-07-17 00:07 235,134 C:\WINDOWS\srvsxjoczy.exe
2006-07-17 00:07 184,829 C:\WINDOWS\srvzsxzfbj.exe
2006-07-17 00:07 1,063 C:\WINDOWS\system32\aaa00000.sys
2006-07-16 11:47 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-16 11:39 38,412 C:\WINDOWS\ssqbn.exe
2006-07-16 11:39 235,134 C:\WINDOWS\srvakinpqh.exe
2006-07-16 11:39 184,829 C:\WINDOWS\srvducsirz.exe
2006-07-16 11:39 1,063 C:\WINDOWS\system32\xiwc60dc.sys
2006-07-16 11:38 8,464 C:\WINDOWS\system32\sporder.dll
2006-07-11 22:41 204,800 C:\WINDOWS\system32\IVIresizeW7.dll
2006-07-11 22:41 200,704 C:\WINDOWS\system32\IVIresizeA6.dll
2006-07-11 22:41 20,480 C:\WINDOWS\system32\IVIresize.dll
2006-07-11 22:41 192,512 C:\WINDOWS\system32\IVIresizeP6.dll
2006-07-11 22:41 192,512 C:\WINDOWS\system32\IVIresizeM6.dll
2006-07-11 22:41 188,416 C:\WINDOWS\system32\IVIresizePX.dll
2006-07-11 22:38 363,520 C:\WINDOWS\system32\PsisDecd.dll
2006-07-11 22:38 3,072 C:\WINDOWS\system32\34CoInstaller.dll
2006-07-06 18:41 7,882 C:\WINDOWS\system32\GTKCMOS.sys
2006-07-06 18:41 7,626 C:\WINDOWS\system32\GPCIEnum.sys
2006-07-06 18:41 7,168 C:\WINDOWS\system32\DLPT64.sys
2006-07-06 18:41 6,656 C:\WINDOWS\system32\DLPT2.sys
2006-07-06 18:41 5,632 C:\WINDOWS\system32\GPCIEn64.sys
2006-07-06 18:41 5,120 C:\WINDOWS\system32\GTKCMO64.sys
2006-07-06 18:41 4,608 C:\WINDOWS\system32\DDMI64.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Dell QuickSet"="C:\\Program Files\\Dell\\QuickSet\\quickset.exe"
"Apoint"="C:\\Program Files\\Apoint\\Apoint.exe"
"IntelWireless"="C:\\Program Files\\Intel\\Wireless\\Bin\\ifrmewrk.exe /tf Intel PROSet/Wireless"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="C:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"{49-92-23-32-ZN}"="c:\\windows\\system32\\okdsregr.exe CORN003"
"xiwc60dc"="RUNDLL32.EXE w0270f4c.dll,n 001c60db000000030270f4c"
"WinScMngr"="C:\\WINDOWS\\winsmc.exe"
"WinDVR SchSvr"="\"C:\\Program Files\\Common Files\\InterVideo\\SchSvr\\SchSvr.exe\""
"Windows Services Hosts"="svhosts.exe"
"w21878ee.dll"="RUNDLL32.EXE w21878ee.dll,I2 001c60db021878ee"
"w027bded.dll"="RUNDLL32.EXE w027bded.dll,I2 001c60db0027bded"
"VSOCheckTask"="\"C:\\PROGRA~1\\McAfee.com\\VSO\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="C:\\Program Files\\McAfee.com\\VSO\\mcvsshld.exe"
"UserFaultCheck"="%systemroot%\\system32\\dumprep 0 -u"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"Tsl2"="C:\\PROGRA~1\\COMMON~1\\tsa\\tsl2.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"TheMonitor"="C:\\WINDOWS\\SYSC00.exe"
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Spyware Nuker"="C:\\Program Files\\Spyware Nuker 2004\\swn2.exe /h"
"RealTray"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"oXdsya"="C:\\WINDOWS\\qngka.exe"
"OASClnt"="C:\\Program Files\\McAfee.com\\VSO\\oasclnt.exe"
"nufkhqbA"="C:\\WINDOWS\\nufkhqbA.exe"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"MsUpdate"="C:\\Program Files\\MsUpdate\\MsUpdate.exe /auto"
"ms-update"="scvhost.exe"
"MessengerPlus3"="\"C:\\Program Files\\MSN Messenger\\MsgPlus.exe\""
"meetlouddalebags"="C:\\Documents and Settings\\All Users\\Application Data\\ChinKnobMeetLoud\\BIASCORN.exe"
"MCUpdateExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcupdate.exe"
"MCAgentExe"="C:\\PROGRA~1\\McAfee.com\\Agent\\McAgent.exe"
"Logitech Utility"="Logi_MwX.Exe"
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"Internet Optimizer"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"Hhl7RfpJ"="\"C:\\WINDOWS\\system32\\ssn6tuu.exe\""
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"DMXLauncher"="C:\\Program Files\\Dell\\Media Experience\\DMXLauncher.exe"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"cBkbCDbA"="c:\\documents and settings\\michael mulder\\local settings\\temp\\cBkbCDbA.exe"
"BrowserUpdateSched"="C:\\WINDOWS\\system32\\qwinlpez.exe CORN003"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"This Rule"="C:\\DOCUME~1\\MICHAE~1\\APPLIC~1\\OPTION~1\\FordWarnSave.exe"
"Steam"=""
"PSHope"="\"C:\\Program Files\\PSHope\\PSHope.exe\""
"izqr"="C:\\PROGRA~1\\COMMON~1\\izqr\\izqrm.exe"
"DellSupport"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"
"csrss"="\"C:\\Program Files\\Dell Support\\DSAgnt.exe\" /startup"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{8C749232-0702-1033-1008-040410220001}"="\"C:\\Program Files\\Common Files\\{8C749232-0702-1033-1008-040410220001}\\Update.exe\" mc-110-12-0000140"
"{8C749232-0703-1033-1008-040410220001}"="\"C:\\Program Files\\Common Files\\{8C749232-0703-1033-1008-040410220001}\\Update.exe\" mc-110-12-0000137"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoAdminPage"="1"
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\kyzezer.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows NT\\howywypen.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00000000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,40
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,20,01,00,00,00,00,00,00,80,04,00,00,66,03,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 07/30/2006 1:34:25.86
ComboFix ver 06.07.20 - This logfile is located at C:\ComboFix.txt

ComboFix.txt


Logfile of HijackThis v1.99.1
Scan saved at 1:40:53 AM, on 7/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Logitech\SetPoint\KEM.exe
C:\Program Files\Logitech\SetPoint\KHALMNPR.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Michael Mulder\Desktop\HijackThis[1].exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost;<local>
O3 - Toolbar: Norton Internet Security - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] C:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\KEM.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyGaming.net\PartyPokerNet\RunPF.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} - http://download.mcafee.com/molbin/shared/m...01/mcinsctl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1153075245793
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {BD393C14-72AD-4790-A095-76522973D6B8} (CBreakshotControl Class) - http://messenger.zone.msn.com/binary/Bankshot.cab31267.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by16fd.bay16.hotmail.msn.com/activex/HMAtchmt.ocx
O17 - HKLM\System\CCS\Services\Tcpip\..\{42511F91-9CAF-4466-B02A-B8E2B4CC15EC}: NameServer = 192.168.0.1
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: IntelWireless - C:\Program Files\Intel\Wireless\Bin\LgNotify.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - C:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

#10 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:57 PM

Posted 30 July 2006 - 07:42 AM

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"{49-92-23-32-ZN}"=-
"xiwc60dc"=-
"WinScMngr"=-
"Windows Services Hosts"=-
"w21878ee.dll"=-
"w027bded.dll"=-
"Tsl2"=-
"TheMonitor"=-
"oXdsya"=-
"nufkhqbA"=-
"MsUpdate"=-
"ms-update"=-
"meetlouddalebags"=-
"Internet Optimizer"=-
"Hhl7RfpJ"=-
"cBkbCDbA"=-
"BrowserUpdateSched"=-
"ACTX1"=-

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"This Rule"=-
"PSHope"=-
"izqr"=-

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"=-

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"=-
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.


==================


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\tpuninstall.exe
    C:\WINDOWS\system32\nt68rrtc12.sys
    C:\Documents and Settings\Michael Mulder\Application Data\internaldb41.dat
    C:\WINDOWS\srvsxjoczy.exe
    C:\WINDOWS\srvzsxzfbj.exe
    C:\WINDOWS\ssqbn.exe
    C:\WINDOWS\srvakinpqh.exe
    C:\WINDOWS\srvducsirz.exe
    C:\WINDOWS\system32\battyrun.dll
    C:\WINDOWS\system32\aaa00000.sys
    C:\Program Files\MSN Gaming Zone\kyzezer.html
    C:\Program Files\Windows NT\howywypen.html
    c:\windows\system32\okdsregr.exe
    C:\WINDOWS\system32\ssn6tuu.exe
    C:\WINDOWS\system32\qwinlpez.exe
    C:\WINDOWS\winsmc.exe
    C:\WINDOWS\SYSC00.exe
    C:\WINDOWS\qngka.exe
    C:\WINDOWS\nufkhqbA.exe




  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
===============


Delete these folders.

C:\Program Files\Common Files\{8c749232-0703-1033-1008-040410220001}
C:\Program Files\Common Files\izqr
C:\Program Files\Common Files\tsa
C:\Program Files\MsUpdate
C:\Program Files\PSHope
C:\Program Files\Internet Optimizer
C:\Documents and Settings\All Users\Application Data\ChinKnobMeetLoud


===============


I would advise that you uninstall Spyware Nuker. It has a bad history and at one time was considered to be a rogue program. It has since improved a bit, but it's still far from trustworthy in my eyes.

http://spywarewarrior.com/rogue_anti-spyware.htm#swn_note


===============


I'd like to get a little more information on some suspicious files.
  • Please go to Jotti's malware scan
  • Copy and paste the following file path into the "File to upload & scan" box on the top of the page:
    • C:\WINDOWS\system32\drivers\psntkd20.sys
  • Disable your firewall if you are using one.
  • Click on the submit button
  • Reenable your firewall as soon as you get results.
  • Please post the results in your next reply.
Also have this file scanned.

C:\WINDOWS\system32\xiwc60dc.sys


=================


Reboot your computer once more and post a new hijackthislog. the log from Killbox, and the results of the virus scans on those two files.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#11 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 30 July 2006 - 03:09 PM

when i double click the fixme.reg file on my desktop it gives me a message that says it is not a valid Win32 application. It will only let me click OK, it doesn't ask me to merge anything. I have not completed the option explicit thing.

#12 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:57 PM

Posted 30 July 2006 - 03:14 PM

Make sure you have this at the top line of fixme.reg

REGEDIT4
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#13 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 30 July 2006 - 09:22 PM

i do have that at the top line and there is no spaces above that entry...the same error message still appears

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:04:57 PM

Posted 30 July 2006 - 09:26 PM

Go ahead with the rest of the steps and we'll come back to the reg fix from a different direction.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 soccerdudemulder

soccerdudemulder
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:04:57 PM

Posted 31 July 2006 - 01:03 AM

Pocket Killbox version 2.0.0.648
Running on Windows XP as Michael Mulder(Administrator)
was started @ Monday, July 31, 2006, 12:56 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\tpuninstall.exe


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\nt68rrtc12.sys


# 3 [Delete on Reboot]
Path = C:\Documents and Settings\Michael Mulder\Application Data\internaldb41.dat


# 4 [Delete on Reboot]
Path = C:\WINDOWS\srvsxjoczy.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\srvzsxzfbj.exe


# 6 [Delete on Reboot]
Path = C:\WINDOWS\ssqbn.exe


# 7 [Delete on Reboot]
Path = C:\WINDOWS\srvakinpqh.exe


# 8 [Delete on Reboot]
Path = C:\WINDOWS\srvducsirz.exe


# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\battyrun.dll


# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\aaa00000.sys


# 11 [Delete on Reboot]
Path = C:\Program Files\MSN Gaming Zone\kyzezer.html


I Rebooted @ 12:59:27 AM
Killbox Closed(Exit) @ 12:59:30 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Michael Mulder(Administrator)
was started @ Monday, July 31, 2006, 1:01 AM




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users