Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Severely Infected! - Tfthot.exe, Tagasaurus And Tons More


  • This topic is locked This topic is locked
4 replies to this topic

#1 nhdon

nhdon

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 23 July 2006 - 08:44 AM

Hi,
About 3 weeks ago, I posted that I had been infected and with help from you guys here, I was going to attempt to fix. But I have been so badly infected since then, that I have difficulty even launching a window without lots of popups and my window disappearing. I've had programs automatically install themselves, though I didn't download anything or give an ok to run an exe file, suddenly they're just there and often they're running Most claim to be "security software". I've had my home page redirected, and my desktop changed.
I've run AdAware, Spybot search and destroy, Housecall antivirus online scan, Stinger(nothing found), Vundofix(nothing found), Dr Web Cureit, and no matter how many times I run them, the garbage keeps multiplying.
Also, after startup, if I check my Windows Task Manager, there is something called "Project1" running, and sometimes something called "Project2". This is new and has occured in the last 2 days.

On startup, I now get this error message:

"Error loading w05d6750.dll
The specified module could not be found"
I have no idea what that means, but it might mean something to you.

I am finally able to log in here and post an HJT and report my problems. Please help as soon as possible, or I might not be able to get back here for assistance.
Thanks,
Don


Previous post if you wish to see what has changed in 3 weeks.
http://www.bleepingcomputer.com/forums/t/57300/infeceted-with-winantiviruswinantivirusproadultfriendfinderprivatephonedrivecleanervipringtones-malware/

HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 9:01:54 AM, on 7/23/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
C:\WINDOWS\system32\drivers\KodakCCS.exe
C:\Program Files\NovaStor\NovaBackup\7\NSENGINE.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\TSIRCSRV.EXE
C:\WINDOWS\TSI32\tsircusr.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\WINDOWS\System32\VTtrayp.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE
C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe
C:\Program Files\Common Files\LapLink\Scheduler\LLSCHENG.EXE
C:\Program Files\Lexmark 7100 Series\lxbxmon.exe
C:\Program Files\Lexmark 7100 Series\ezprint.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\mptft.exe
C:\kybrded_7.exe
C:\WINDOWS\qnhzfaaA.exe
C:\WINDOWS\System32\ssec.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\tfthot.exe
C:\WINDOWS\xload.exe
C:\WINDOWS\mdurfyiA.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\System32\bdpn.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\System32\lxbxcoms.exe
C:\WINDOWS\win32075181041499.exe
C:\WINDOWS\System32\xd7ehbkw.exe
C:\Program Files\Common Files\{3E14057E-0C7A-1033-0809-040116040001}\Update.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\M4800\PVRemote.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.neopets.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=20069&k=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=20069&k=
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://home.netscape.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\iwrpp.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\TSI32\tsircusr.exe,ssxtbwk.exe
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [Ulead Photo Express Calendar Checker] C:\Program Files\Ulead Systems\Ulead Photo Express My Scrapbook 2.0\calcheck.exe
O4 - HKLM\..\Run: [LapLink Scheduler] "C:\Program Files\Common Files\LapLink\Scheduler\LLSCHED.EXE"
O4 - HKLM\..\Run: [AtariBanner] "C:\Program Files\Infogrames\Atari Anniversary Edition\Volume 2\Banner.exe" /0
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\WordPerfect Office 11\Programs\QFSCHD110.EXE"
O4 - HKLM\..\Run: [PowerS] C:\WINDOWSPowerS.exe
O4 - HKLM\..\Run: [WinDVR SchSvr] "C:\Program Files\Common Files\InterVideo\SchSvr\SchSvr.exe"
O4 - HKLM\..\Run: [Bjwzwt] C:\Program Files\Yeus\Xuqpzko.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [LXBXCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXBXtime.dll,_RunDLLEntry@16
O4 - HKLM\..\Run: [lxbxmon.exe] "C:\Program Files\Lexmark 7100 Series\lxbxmon.exe"
O4 - HKLM\..\Run: [FaxCenterServer4_in_1] "C:\Program Files\Lexmark 7100 Series\fm3032.exe" /s
O4 - HKLM\..\Run: [EzPrint] "C:\Program Files\Lexmark 7100 Series\ezprint.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ftexc] C:\WINDOWS\System32\mptft.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrded_7.exe
O4 - HKLM\..\Run: [qnhzfaaA] C:\WINDOWS\qnhzfaaA.exe
O4 - HKLM\..\Run: [lggdc2c2] RUNDLL32.EXE w05d486e.dll,n 001dc2c10000000305d486e
O4 - HKLM\..\Run: [w05d6750.dll] RUNDLL32.EXE w05d6750.dll,I2 001dc2c1005d6750
O4 - HKLM\..\Run: [xload] "C:\WINDOWS\xload.exe"
O4 - HKLM\..\Run: [mdurfyiA] C:\WINDOWS\mdurfyiA.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [kSPYv] "C:\WINDOWS\System32\bdpn.exe"
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [win32075181041499] C:\WINDOWS\win32075181041499.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [CAS2] "C:\Program Files\System Files\System.exe"
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - HKCU\..\Run: [Cas2Stub] C:\Program Files\Cas2Stub\cas2stub.exe -run
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Remote.lnk = C:\Program Files\M4800\PVRemote.exe
O4 - Global Startup: Quicken Startup.lnk = C:\Program Files\Quicken\QWDLLS.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Office10\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\System32\dmonwv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .avi: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O12 - Plugin for .mpeg: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin3.dll
O12 - Plugin for .UVR: C:\Program Files\Internet Explorer\Plugins\NPUPano.dll
O12 - Plugin for .wav: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin2.dll
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.mmohsix.com
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg.com/us.yimg.com/i/cha...t/c381/chat.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/games/clients/y/it1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.games.yahoo.com/games/clients/y/pote_x.cab
O16 - DPF: {09F1ADAC-76D8-4D0F-99A5-5C907DADB988} - http://www.systemdoctor.com/download/2006/...FreeInstall.cab
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} (MALPlaybackCtrl Class) - http://musicstore.connect.com/XSL/mb_us/ht...ALStreaming.cab
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} (mm06ocx.mm06ocxf) - mk:@MSITStore:C:\DOCUME~1\us\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1143711123921
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
O18 - Filter: text/html - {0F9A5F09-3BFD-40D3-85FE-36227430A374} - C:\WINDOWS\System32\v199.dll
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperLite\DKService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: lxbx_device - Lexmark International, Inc. - C:\WINDOWS\System32\lxbxcoms.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NsEngine - Unknown owner - C:\Program Files\NovaStor\NovaBackup\7\NSENGINE.exe
O23 - Service: Phoenix VCD Service (PhnxVCDService) - Phoenix Technologies Ltd. - C:\WINDOWS\System32\PhnxCDSvr.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: TSI Remote Control Service (TSIRCSRV) - LapLink, Inc. - C:\WINDOWS\System32\TSIRCSRV.EXE

BC AdBot (Login to Remove)

 


#2 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:54 PM

Posted 23 July 2006 - 09:20 AM

Wow how did you get that much infections, real collection there :thumbsup:

Ok lets get started.

You WILL need an Anti-virus client since you don't have any....

Please get the free version of AVG.

Download & install it, configure it how you wish, update it. Next, run a scan with it (set it to scan everything it can). Remove/quarantine everything found. Reboot.

----

Then...

Download Combofix to your desktop:
  • Double-click combofix.exe & follow the prompts.
  • When finished, it shall produce a log for you. Post that log in your next reply. :flowers:
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Hi there, stranger!

#3 nhdon

nhdon
  • Topic Starter

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Local time:12:54 PM

Posted 23 July 2006 - 05:15 PM

Hi,
I have absolutely no idea how I got this infected, it just happened :thumbsup: . I downloaded and ran AVG, it has a bunch of viruses in it's vault that it says it can't heal, don't know if I leave them there or delete them from the vault. I then rebooted. Installed combofix and ran it, it rebooted on its own. On reboot, I get:

"RUNDLL
Error Loading w05d6750.dll
The specified module could not be found."

Then ComboFix opened a notepad. Here is the log: (by the way, I've gotten 5 popups while trying to type this!):
Start Time= Sun 07/23/2006 17:57:20.00
Running from: C:\Documents and Settings\us\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dfrddd
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkli
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{64A83EED-5E6A-43F9-A1DD-82B1EC95858E}]
@=""

[HKEY_CLASSES_ROOT\clsid\{64A83EED-5E6A-43F9-A1DD-82B1EC95858E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{64A83EED-5E6A-43F9-A1DD-82B1EC95858E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{64A83EED-5E6A-43F9-A1DD-82B1EC95858E}\InprocServer32]
@="C:\\WINDOWS\\system32\\pprfts.dll"
"ThreadingModel"="Apartment"

Granting sedebugprivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

17:57:56.46

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst



No infected Qoologic files found. Reg entries were fixed


(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Prefetch\SSKUPDATER3.EXE-0A362600.pf
C:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf
C:\Documents and Settings\us\Local Settings\Temporary Internet Files\Ssk.log
C:\Documents and Settings\us\Application Data\Sskknwrd.dll
C:\Documents and Settings\us\Application Data\Sskcwrd.dll
C:\Documents and Settings\us\DoctorWeb\Quarantine\Ssk____1.exe
C:\Documents and Settings\us\DoctorWeb\Quarantine\Ssk____2.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



18:00:17.70
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\dfndred_7.exe
C:\kybrded_7.exe
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\uninstall_nmon.vbs
C:\Program Files\network monitor
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))



2006-07-23 17:38 880,516 C:\WINDOWS\system32\ilkkj.bak2
2006-07-23 17:38 17,750 C:\WINDOWS\system32\ovqnrure.exe
2006-07-23 17:38 12,288 C:\WINDOWS\system32\drivers\dp.sys
2006-07-23 17:37 235,081 C:\WINDOWS\system32\dnl8013ue.dll
2006-07-23 17:37 234,250 C:\WINDOWS\system32\ukbmon.dll
2006-07-23 17:37 1,063 C:\WINDOWS\system32\lggdc2c2.sys
2006-07-23 17:03 17,750 C:\WINDOWS\system32\hesalkvf.exe
2006-07-23 09:59 234,250 C:\WINDOWS\system32\ayledit.dll
2006-07-23 09:52 776,096 C:\WINDOWS\system32\drivers\avg7core.sys
2006-07-23 09:52 4,288 C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-07-23 09:52 27,776 C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-07-23 09:52 23,424 C:\WINDOWS\system32\drivers\avgmfrs.sys
2006-07-23 09:52 <DIR> C:\Program Files\grisoft
2006-07-23 09:52 <DIR> C:\Documents and Settings\us\Application Data\avg7
2006-07-23 09:20 42,736 C:\WINDOWS\icont.exe
2006-07-23 09:04 410 C:\WINDOWS\pjhsh.dll
2006-07-23 07:39 17,750 C:\WINDOWS\system32\eandikcy.exe
2006-07-23 07:38 36,864 C:\WINDOWS\thiselt.exe
2006-07-23 07:38 28,672 C:\WINDOWS\system32ftuninst.exe
2006-07-23 07:38 28,672 C:\WINDOWS\system32\hvzead7v.exe
2006-07-23 07:38 28,672 C:\WINDOWS\system32\ftuninst.exe
2006-07-23 07:38 234,248 C:\WINDOWS\tagasuarus2.exe
2006-07-23 07:38 226 C:\WINDOWS\em06y.ini
2006-07-23 07:38 208,896 C:\WINDOWS\system32\v199.dll
2006-07-23 06:38 236,666 C:\WINDOWS\system32\sibiop.dll
2006-07-23 06:30 17,750 C:\WINDOWS\system32\sbhqfagg.exe
2006-07-23 05:30 61,440 C:\WINDOWS\system32\lggdc2c2.dll
2006-07-23 05:03 49 C:\WINDOWS\nerodigital.ini
2006-07-23 01:33 77,824 C:\WINDOWS\system32\vundofix.exe
2006-07-23 00:49 32,976 C:\WINDOWS\system32\uninsticn.exe
2006-07-23 00:49 235,134 C:\WINDOWS\srvnejyuvn.exe
2006-07-23 00:49 184,829 C:\WINDOWS\srvqollmnf.exe
2006-07-23 00:48 232,749 C:\WINDOWS\pf78.exe
2006-07-23 00:48 17,750 C:\WINDOWS\system32\mwnajegu.exe
2006-07-23 00:04 45,056 C:\WINDOWS\system32tfthot.exe
2006-07-22 23:15 397,312 C:\WINDOWS\cfg32p.dll
2006-07-22 20:07 17,750 C:\WINDOWS\system32\ypwohmkn.exe
2006-07-22 20:04 17,750 C:\WINDOWS\system32\hapmrmdm.exe
2006-07-22 20:00 <DIR> C:\Documents and Settings\us\Application Data\m?crosoft.net (mcroso~1.net)
2006-07-22 19:57 17,750 C:\WINDOWS\system32\qgageutj.exe
2006-07-22 19:47 48,167 C:\WINDOWS\system32\vsl05.exe
2006-07-22 19:47 38,412 C:\WINDOWS\ssqbn.exe
2006-07-22 19:47 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-22 19:47 17,750 C:\WINDOWS\system32\fqoflhar.exe
2006-07-22 19:47 1,057 C:\WINDOWS\system32\w01dc2c1.ini
2006-07-22 19:47 <DIR> C:\Program Files\tclock
2006-07-22 19:47 <DIR> C:\Program Files\partypoker
2006-07-22 19:47 <DIR> C:\Program Files\inetget2
2006-07-22 19:47 <DIR> C:\Program Files\batty
2006-07-22 19:46 29,696 C:\WINDOWS\system32\w05d486e.dll
2006-07-22 19:46 242,230 C:\siteerror.exe
2006-07-22 19:46 235,134 C:\WINDOWS\srvvymhkfa.exe
2006-07-22 19:46 184,829 C:\WINDOWS\srvybhmdgt.exe
2006-07-22 19:46 <DIR> C:\Program Files\siteerror search
2006-07-22 19:46 <DIR> C:\Program Files\pshope
2006-07-22 19:46 <DIR> C:\Program Files\Common Files\ikwz
2006-07-22 19:45 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-22 19:45 347 C:\WINDOWS\mm06y.ini
2006-07-22 19:45 0 C:\Documents and Settings\us\Application Data\internaldb41.dat
2006-07-22 19:45 <DIR> C:\WINDOWS\??curity (curity~1)
2006-07-22 19:45 <DIR> C:\Program Files\Common Files\{3e14057e-0c7a-1033-0809-040116040001}
2006-07-22 19:44 45,056 C:\WINDOWS\system32\tfthot.exe
2006-07-22 19:44 208,896 C:\WINDOWS\system32\x3cqp0.dll
2006-07-22 19:44 <DIR> C:\WINDOWS\system32\??stem32 (stem32~1)
2006-07-22 18:06 17,750 C:\WINDOWS\system32\hgwpavam.exe
2006-07-22 07:50 17,750 C:\WINDOWS\system32\doneorwb.exe
2006-07-21 21:32 17,750 C:\WINDOWS\system32\lxkpitbw.exe
2006-07-21 18:44 17,750 C:\WINDOWS\system32\gjimuiqp.exe
2006-07-12 20:20 <DIR> C:\Documents and Settings\us\Application Data\expensable
2006-07-12 01:22 <DIR> C:\Program Files\sarah michelle gellar solitaire v1.01
2006-07-09 15:30 85 C:\WINDOWS\ifolder.ini
2006-07-09 15:30 424 C:\WINDOWS\tscfm.ini
2006-07-09 15:30 109 C:\WINDOWS\tsnv_i2c.ini
2006-07-09 15:30 1,070 C:\WINDOWS\tsctv.ini
2006-07-09 15:28 20,947 C:\WINDOWS\tsctvfm.ini
2006-07-09 15:28 2,336 C:\WINDOWS\tsctndbg.ini
2006-07-03 10:53 1,142,784 C:\WINDOWS\system32\bdpn.exe
2006-07-02 14:51 597,727 C:\WINDOWS\system32\ilkkj.ini
2006-07-01 21:20 <DIR> C:\Program Files\hijackthis
2006-06-29 10:07 61,440 C:\WINDOWS\system32\battyrun.dll
2006-06-27 08:02 767,396 C:\WINDOWS\system32\ilkkj.bak1
2006-06-27 08:01 569,396 C:\WINDOWS\system32\jkkli.dll
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe
2006-06-20 20:55 389,120 C:\WINDOWS\system32\nodeipproc.dll
2006-06-18 17:25 82 C:\WINDOWS\tswave.ini
2006-06-13 17:48 <DIR> C:\Program Files\executive software
2006-06-13 17:07 <DIR> C:\Documents and Settings\us\Application Data\yahoo!
2006-06-13 16:40 151 C:\WINDOWS\ulead32.ini
2006-05-28 22:33 <DIR> C:\Program Files\Common Files\nsv
2006-05-28 20:49 <DIR> C:\Program Files\winamp
2006-05-25 01:22 53,248 C:\WINDOWS\bdoscandel.exe
2006-05-23 19:56 12,813 C:\WINDOWS\system32\vtutt.dll


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-23 17:38 17,750 C:\WINDOWS\system32\ovqnrure.exe
2006-07-23 17:37 235,081 C:\WINDOWS\system32\dnl8013ue.dll
2006-07-23 17:37 234,250 C:\WINDOWS\system32\ukbmon.dll
2006-07-23 17:03 17,750 C:\WINDOWS\system32\hesalkvf.exe
2006-07-23 09:59 234,250 C:\WINDOWS\system32\ayledit.dll
2006-07-23 07:39 17,750 C:\WINDOWS\system32\eandikcy.exe
2006-07-23 07:38 36,864 C:\WINDOWS\thiselt.exe
2006-07-23 07:38 28,672 C:\WINDOWS\System32ftuninst.exe
2006-07-23 07:38 28,672 C:\WINDOWS\system32\hvzead7v.exe
2006-07-23 07:38 28,672 C:\WINDOWS\system32\ftuninst.exe
2006-07-23 07:38 234,248 C:\WINDOWS\Tagasuarus2.exe
2006-07-23 07:38 226 C:\WINDOWS\em06y.ini
2006-07-23 07:38 208,896 C:\WINDOWS\system32\v199.dll
2006-07-23 07:38 1,142,784 C:\WINDOWS\system32\bdpn.exe
2006-07-23 06:38 236,666 C:\WINDOWS\system32\sibiop.dll
2006-07-23 06:30 17,750 C:\WINDOWS\system32\sbhqfagg.exe
2006-07-23 05:45 42,736 C:\WINDOWS\icont.exe
2006-07-23 05:30 61,440 C:\WINDOWS\system32\lggdc2c2.dll
2006-07-23 00:48 235,134 C:\WINDOWS\srvnejyuvn.exe
2006-07-23 00:48 184,829 C:\WINDOWS\srvqollmnf.exe
2006-07-23 00:48 17,750 C:\WINDOWS\system32\mwnajegu.exe
2006-07-22 23:15 397,312 C:\WINDOWS\cfg32p.dll
2006-07-22 20:07 17,750 C:\WINDOWS\system32\ypwohmkn.exe
2006-07-22 20:04 17,750 C:\WINDOWS\system32\hapmrmdm.exe
2006-07-22 19:57 17,750 C:\WINDOWS\system32\qgageutj.exe
2006-07-22 19:47 48,167 C:\WINDOWS\system32\VSL05.exe
2006-07-22 19:47 38,412 C:\WINDOWS\ssqbn.exe
2006-07-22 19:47 17,750 C:\WINDOWS\system32\fqoflhar.exe
2006-07-22 19:47 1,057 C:\WINDOWS\system32\w01dc2c1.ini
2006-07-22 19:46 33,012 C:\WINDOWS\system32\tpuninstall.exe
2006-07-22 19:46 29,696 C:\WINDOWS\system32\w05d486e.dll
2006-07-22 19:46 242,230 C:\siteError.exe
2006-07-22 19:46 235,134 C:\WINDOWS\srvvymhkfa.exe
2006-07-22 19:46 184,829 C:\WINDOWS\srvybhmdgt.exe
2006-07-22 19:46 1,063 C:\WINDOWS\system32\lggdc2c2.sys
2006-07-22 19:45 410 C:\WINDOWS\pjhsh.dll
2006-07-22 19:45 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-22 19:45 347 C:\WINDOWS\mm06y.ini
2006-07-22 19:45 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-22 19:45 232,749 C:\WINDOWS\pf78.exe
2006-07-22 19:44 45,056 C:\WINDOWS\System32tfthot.exe
2006-07-22 19:44 45,056 C:\WINDOWS\system32\tfthot.exe
2006-07-22 19:44 208,896 C:\WINDOWS\system32\x3cqp0.dll
2006-07-22 18:06 17,750 C:\WINDOWS\system32\hgwpavam.exe
2006-07-22 07:50 17,750 C:\WINDOWS\system32\doneorwb.exe
2006-07-21 21:32 17,750 C:\WINDOWS\system32\lxkpitbw.exe
2006-07-21 18:44 17,750 C:\WINDOWS\system32\gjimuiqp.exe
2006-07-12 01:20 69,632 C:\WINDOWS\system32\GkSui18.EXE
2006-07-03 00:58 77,824 C:\WINDOWS\system32\VundoFix.exe
2006-07-03 00:55 597,727 C:\WINDOWS\system32\ilkkj.ini
2006-06-29 22:48 880,516 C:\WINDOWS\system32\ilkkj.bak2
2006-06-29 10:07 61,440 C:\WINDOWS\system32\BattyRun.dll
2006-06-27 08:02 767,396 C:\WINDOWS\system32\ilkkj.bak1
2006-06-27 08:01 569,396 C:\WINDOWS\system32\jkkli.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"shicoxp"="C:\\WINDOWS\\shicoxp.exe"
"Ulead Photo Express Calendar Checker"="C:\\Program Files\\Ulead Systems\\Ulead Photo Express My Scrapbook 2.0\\calcheck.exe"
"LapLink Scheduler"="\"C:\\Program Files\\Common Files\\LapLink\\Scheduler\\LLSCHED.EXE\""
"AtariBanner"="\"C:\\Program Files\\Infogrames\\Atari Anniversary Edition\\Volume 2\\Banner.exe\" /0"
"QuickFinder Scheduler"="\"C:\\Program Files\\WordPerfect Office 11\\Programs\\QFSCHD110.EXE\""
"PowerS"="C:\\WINDOWSPowerS.exe"
"WinDVR SchSvr"="\"C:\\Program Files\\Common Files\\InterVideo\\SchSvr\\SchSvr.exe\""
"Bjwzwt"="C:\\Program Files\\Yeus\\Xuqpzko.exe"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"LXBXCATS"="rundll32 C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\LXBXtime.dll,_RunDLLEntry@16"
"lxbxmon.exe"="\"C:\\Program Files\\Lexmark 7100 Series\\lxbxmon.exe\""
"FaxCenterServer4_in_1"="\"C:\\Program Files\\Lexmark 7100 Series\\fm3032.exe\" /s"
"EzPrint"="\"C:\\Program Files\\Lexmark 7100 Series\\ezprint.exe\""
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"lggdc2c2"="RUNDLL32.EXE w05d486e.dll,n 001dc2c10000000305d486e"
"w05d6750.dll"="RUNDLL32.EXE w05d6750.dll,I2 001dc2c1005d6750"
"pop06apelt"="C:\\WINDOWS\\thiselt.exe"
"kSPYv"="\"C:\\WINDOWS\\System32\\bdpn.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
"CAS2"="\"C:\\Program Files\\System Files\\System.exe\""
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"
"Cas2Stub"="C:\\Program Files\\Cas2Stub\\cas2stub.exe -run"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
@=""
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{3E14057E-0C7A-1033-0809-040116040001}"="\"C:\\Program Files\\Common Files\\{3E14057E-0C7A-1033-0809-040116040001}\\Update.exe\" mc-110-12-0000103"
"odbdyc"="C:\\WINDOWS\\System32\\odbdyc.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\MSN Gaming Zone\\podowimy.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Common Files\\mebe.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\America Online 9.0 Tray Icon.lnk"
"backup"="C:\\WINDOWS\\pss\\America Online 9.0 Tray Icon.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AMERIC~1.0\\aoltray.exe -check"
"item"="America Online 9.0 Tray Icon"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Billminder.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Billminder.lnk"
"backup"="C:\\WINDOWS\\pss\\Billminder.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Quicken\\billmind.exe -startup"
"item"="Billminder"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Lifeline.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Digital Lifeline.lnk"
"backup"="C:\\WINDOWS\\pss\\Digital Lifeline.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\DIGITA~1\\bin\\mpbtn.exe -boot"
"item"="Digital Lifeline"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak EasyShare software.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak EasyShare software.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak EasyShare software.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKE~1\\bin\\EASYSH~1.EXE -h"
"item"="Kodak EasyShare software"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Kodak software updater.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Kodak software updater.lnk"
"backup"="C:\\WINDOWS\\pss\\Kodak software updater.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Kodak\\KODAKS~1\\7288971\\Program\\KODAKS~1.EXE "
"item"="Kodak software updater"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Personal Coach.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Personal Coach.lnk"
"backup"="C:\\WINDOWS\\pss\\Personal Coach.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BRODER~1\\MAVISB~1\\MINIMA~1.EXE main"
"item"="Personal Coach"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Video Professor Free Lesson.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Video Professor Free Lesson.lnk"
"backup"="C:\\WINDOWS\\pss\\Video Professor Free Lesson.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\lesson\\FREELE~1.EXE "
"item"="Video Professor Free Lesson"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^us^Start Menu^Programs^Startup^OpenOffice.org 1.0.lnk]
"path"="C:\\Documents and Settings\\us\\Start Menu\\Programs\\Startup\\OpenOffice.org 1.0.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 1.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 1.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdTools Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdTools"
"hkey"="HKLM"
"command"="C:\\Program Files\\AdTools Service\\AdTools.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="\"C:\\PROGRA~1\\COMMON~1\\AOL\\AOLSPY~1\\AOLSP Scheduler.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Atari Launcher 2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Atari icon"
"hkey"="HKLM"
"command"="C:\\Program Files\\Infogrames\\Atari Anniversary Edition\\Volume 2\\Atari icon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NovaBackup 7.0 Tray Control]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NbkCtrl"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\NovaStor\\NovaBackup\\7\\NbkCtrl.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ysbinstall_1002648_3.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ysbinstall_1002648_3"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\ysbinstall_1002648_3.exe"
"inimapping"="0"



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\ISP signup reminder 2.job

Completion time: Sun 07/23/2006 18:00:26.42
ComboFix ver 06.07.22 - This logfile is located at C:\ComboFix.txt

ComboFix.txt

#4 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:54 PM

Posted 24 July 2006 - 04:00 AM

Lets continue.. :thumbsup:

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download SmitfraudFix S!Ri
Extract the content (a folder named SmitfraudFix) to your Desktop.

Do NOT do anything with it yet!

---

Please download Ewido Anti-spyware and save that file to your desktop.
This is a 30 day trial of the program
  • Once you have downloaded Ewido Anti-spyware, locate the icon on the desktop and double-click it to launch the setup program.
  • Once the setup is complete you will need run Ewido and update the definition files.
  • On the main screen select the icon "Update" then select the "Update now" link.
    • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
    • If you aren't able to finish the update within Ewido for a reason or another, you can install the manual updates here.
  • Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
  • Under "Reports"
    • Select "Automatically generate report after every scan"
    • Un-select "Only if threats were found"
Close Ewido Anti-spyware, DO NOT run a scan just yet, we will shortly.

---

Next, please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Select the first option, to run Windows in Safe Mode.


---

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

Do NOT reboot yet.

----

Then Ewido..
  • IMPORTANT: Do not open any other windows or programs while Ewido is scanning, it may interfere with the scanning proccess:
  • Lauch Ewido Anti-spyware by double-clicking the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
  • Ewido will now begin the scanning process, be patient this may take a little time.
    Once the scan is complete do the following:
  • If you have any infections you will prompted, then select "Apply all actions"
  • Next select the "Reports" icon at the top.
  • Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
  • Close Ewido.
---

Now please reboot into Normal Windows.

A text file will appear onscreen, with results from the cleaning process post that log here (The report can also be found at the root of the system drive, usually at C:\rapport.txt) along with the Ewido results in your next reply.

Then rename HijackThis.exe to Scan.exe or something similar and post back with a log from the renamed file.

Send:

- a fresh HijackThis log

- Contents of the C:\rapport.txt

- The Ewido Anti-spyware results


You might need to post a few replies to get all the logs posted.:flowers:

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Hi there, stranger!

#5 Rawe

Rawe

  • Members
  • 2,363 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Finland
  • Local time:07:54 PM

Posted 02 August 2006 - 02:05 PM

Due to lack of feedback, this thread has been closed. If you're the original poster and need this Topic reopened, please PM a Staff member with the address of this thread.
Hi there, stranger!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users