Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viral Infection


  • Please log in to reply
19 replies to this topic

#1 Zen00

Zen00

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 03 August 2006 - 08:32 PM

I've deleted these things five ways from sunday, and used five of the self help guides to do it, but it keeps coming back. So I've made this log and hope it can help you. If you need anything else, just tell me. :thumbsup:

Viruses catalouged so far: Toolbar 888, spyquake, Windows Integrity Scan Wizard (and various variants), pop-ups, and a slew of others.

PS: Hate your brothers, they do this. :flowers:

Logfile of HijackThis v1.99.1
Scan saved at 8:27:24 PM, on 8/3/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\e0d4ecd4.exe
C:\WINDOWS\thiselt.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\ms0614846-11991.exe
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SMBOLS~1\userinit.exe
C:\DOCUME~1\Grant\APPLIC~1\SSEMBL~1\explorer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
O1 - Hosts: 69.60.124.19 L2authd.lineage2.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iqh30f52] RUNDLL32.EXE w0184b8b.dll,n 00230f500000000a0184b8b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [e0d4ecd4.exe] C:\WINDOWS\system32\e0d4ecd4.exe
O4 - HKLM\..\Run: [pop06apelt] C:\WINDOWS\thiselt.exe
O4 - HKLM\..\Run: [ms0614846-11991] C:\WINDOWS\ms0614846-11991.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [e0d4ecd4.exe] C:\Documents and Settings\Grant\Local Settings\Application Data\e0d4ecd4.exe
O4 - HKCU\..\Run: [Oror] "C:\PROGRA~1\COMMON~1\SMBOLS~1\userinit.exe" -vt yazr
O4 - HKCU\..\Run: [Lqy] C:\DOCUME~1\Grant\APPLIC~1\SSEMBL~1\explorer.exe
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm473YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - AppInit_DLLs: repairs303169590.dll,lsass.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
This space will eventually have something very cool to fill it up, but not right now.

BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:34 AM

Posted 04 August 2006 - 04:55 AM

Hello Zen00 and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) You are missing one important program on that computer - an antivirus!
This is somewhat suicidal in today's digital world.
You need to install an antivirus program as soon as you can and run a complete scan of the computer.
AVG and Avast are excellent, free antivirus programs..
Never install more than one antivirus on your system - several together can cause problems and decrease performance.

2) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

3) Download Brute Force Uninstaller.
Unzip it to a folder of it’s own (c:\BFU).
Read here how to unzip/extract properly:
http://metallica.geekstogo.com/xpcompressedexplanation.html
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to the 'scriptfile to execute'-window you'll see a little icon as shown in next picture: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste next URL:

http://metallica.geekstogo.com/alcanshorty.bfu

Click Ok.
Then click execute in Brute Force Uninstaller.

Extra note:
If nothing happens after pressing the Execute button, this means that the script didn't download. In that case, download the script ( alcanshorty.bfu ) manually from above url ( rightclick on it and choose 'save as' and save it in your BFU-folder). Then start BFU.exe again and click the browse button next to the 'scriptfile to execute'-window
Browse to the script you downloaded and Click Ok and Execute in Brute Force Uninstaller.


Wait for the complete script execution box to popup and press OK.
Press exit to terminate the BFU program.

4) Download Combofix to your desktop.
Doubleclick combo.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Also post the uninstaller list.

David

#3 Zen00

Zen00
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 04 August 2006 - 02:38 PM

Allright, here's my stuff. I downloaded avast! and ran that, then I did the Hijackthis log, but for some reason there is no notepad page opening after saving like you said, instead the program exits and nothing else happens. After that I used the brute force, and then the combofix, the combofix log is posted first, then the hijackthis log.



Start Time= Fri 08/04/2006 14:27:44.76
Running from: C:\Downloads

(((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Grant\Application Data\Sskdmns.dll
C:\Documents and Settings\Grant\Local Settings\Temporary Internet Files\Ssk.log
C:\Program Files\SimTheme Park\data\levels\fantasy\ssky
C:\Program Files\SimTheme Park\data\levels\hallow\ssky
C:\Program Files\SimTheme Park\data\levels\jungle\ssky
C:\Program Files\SimTheme Park\data\levels\space\ssky
C:\RECYCLER\S-1-5-21-1659004503-813497703-682003330-500\Dc1\SskCore.dll
C:\WINDOWS\Prefetch\SSK.EXE-20EC298C.pf
C:\WINDOWS\Prefetch\SSKUPDATER3.EXE-32506128.pf


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



14:31:01.42
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-04 13:17:42 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-04 13:07:50 125 ( A.... ) "C:\WINDOWS\gywmi.dll"
2006-08-03 19:55:40 10752 ( A.... ) "C:\WINDOWS\system32\ismon.exe"
2006-08-03 19:17:48 175362 ( A.... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-08-03 19:17:10 57344 ( A.... ) "C:\WINDOWS\ddhb.exe"
2006-08-03 19:15:42 2 ( A.... ) "C:\WINDOWS\system32\wnstssu.exe"
2006-08-03 19:15:40 ( .D... ) "C:\Documents and Settings\Grant\Application Data\?ssembly"
2006-08-03 19:15:04 ( .D... ) "C:\Program Files\Common Files\s?mbols"
2006-08-03 19:14:38 40973 ( ..SH. ) "C:\WINDOWS\system32\urqqnom.dll"
2006-08-03 15:35:36 ( .D... ) "C:\Program Files\HijackThis"
2006-08-03 15:27:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-03 14:32:18 ( .D... ) "C:\Program Files\Roguescanfix"
2006-08-03 12:46:50 ( .D... ) "C:\Program Files\Steam"
2006-08-02 19:34:28 61952 ( A.... ) "C:\WINDOWS\system32\iqh30f52.dll"
2006-08-02 19:34:28 1167 ( A.... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:34:28 1167 ( A.... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:08:32 ( .D... ) "C:\Program Files\License_Manager"
2006-08-01 11:40:50 ( .D... ) "C:\Program Files\Activision"
2006-07-30 18:20:38 ( .D... ) "C:\Program Files\Microprose"
2006-07-30 18:19:12 ( .D... ) "C:\Program Files\VentSrv"
2006-07-30 13:51:16 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ahead"
2006-07-30 13:43:36 ( .D... ) "C:\Program Files\Photo Story 3 for Windows"
2006-07-29 21:20:26 ( .D... ) "C:\Program Files\MAIET"
2006-07-28 15:04:10 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-28 15:00:36 ( .D... ) "C:\Program Files\Windows Defender"
2006-07-28 14:54:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Lavasoft"
2006-07-28 14:54:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-28 13:42:00 ( .D... ) "C:\Program Files\Common Files\Companion Wizard"
2006-07-28 11:39:54 ( .D... ) "C:\Program Files\Common Files\STOPzilla!"
2006-07-28 10:49:12 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Sun"
2006-07-28 09:36:10 573492 ( ..SH. ) "C:\WINDOWS\system32\mljjg.dll"
2006-07-28 09:24:30 ( .D... ) "C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}"
2006-07-28 09:24:20 40973 ( ..SH. ) "C:\WINDOWS\system32\ddcbbab.dll"
2006-07-27 21:53:08 ( .D... ) "C:\Program Files\Call of Duty Game of the Year Edition"
2006-07-26 10:49:34 ( .D... ) "C:\Program Files\Java"
2006-07-26 10:47:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-26 10:45:46 ( .D... ) "C:\Program Files\Azureus"
2006-07-26 10:36:58 ( .D... ) "C:\Program Files\BitTorrent"
2006-07-22 14:46:44 ( .D... ) "C:\Program Files\Sony"
2006-07-16 22:22:24 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ScanSoft"
2006-07-16 22:18:58 ( .D... ) "C:\Program Files\Common Files\Scansoft Shared"
2006-07-16 22:11:58 ( .D... ) "C:\Program Files\ScanSoft"
2006-07-16 10:17:54 ( .D... ) "C:\Program Files\Shockwave.com"
2006-07-15 21:32:08 ( .D... ) "C:\Program Files\Foolish Entertainment"
2006-07-14 03:33:36 ( .D... ) "C:\Program Files\QuickTime"
2006-07-09 20:23:12 ( .D... ) "C:\Program Files\WinRAR"
2006-07-09 11:25:04 ( .D... ) "C:\Program Files\Common Files\HP"
2006-07-09 11:23:08 ( .D... ) "C:\Program Files\Hewlett-Packard"
2006-07-09 11:22:26 ( .D... ) "C:\Program Files\Common Files\Hewlett-Packard"
2006-07-09 11:17:50 ( .D... ) "C:\Program Files\HP"
2006-07-08 01:10:12 ( .D... ) "C:\Program Files\CCleaner"
2006-07-07 07:48:16 ( .D... ) "C:\Program Files\Infogrames Interactive"
2006-07-06 18:33:28 ( .D... ) "C:\Program Files\Ventrilo"
2006-07-06 18:33:18 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-07-05 19:38:02 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-05 19:35:14 ( .D... ) "C:\Program Files\America's Army Server Manager"
2006-07-05 19:31:56 ( .D... ) "C:\Program Files\America's Army"
2006-07-04 23:55:46 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ventrilo"
2006-07-04 23:52:10 ( .D... ) "C:\Program Files\Lineage II"
2006-07-03 14:29:06 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-02 19:34:00 ( .D... ) "C:\Program Files\Anarchy"
2006-06-26 18:53:14 ( .D... ) "C:\Program Files\Microsoft Games"
2006-06-25 16:30:34 ( .D... ) "C:\Program Files\SimTheme Park"
2006-06-23 20:23:00 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Motive"
2006-06-23 09:28:56 5512704 ( ..... ) "C:\WINDOWS\system32\ieframe.dll"
2006-06-23 09:28:56 454144 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2006-06-23 09:28:56 413696 ( A.... ) "C:\WINDOWS\system32\vbscript.dll"
2006-06-23 09:28:56 223744 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2006-06-23 09:28:56 179200 ( ..... ) "C:\WINDOWS\system32\ieui.dll"
2006-06-23 09:28:56 155648 ( A.... ) "C:\WINDOWS\system32\msls31.dll"
2006-06-23 09:28:56 47616 ( ..... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2006-06-23 05:41:42 172544 ( ..... ) "C:\WINDOWS\system32\WinFXDocObj.exe"
2006-06-23 05:40:44 78848 ( A.... ) "C:\WINDOWS\system32\ieencode.dll"
2006-06-23 05:40:04 40960 ( A.... ) "C:\WINDOWS\system32\url.dll"
2006-06-23 05:39:52 39424 ( A.... ) "C:\WINDOWS\system32\licmgr10.dll"
2006-06-23 05:39:08 99328 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2006-06-23 05:37:18 14336 ( A.... ) "C:\WINDOWS\system32\corpol.dll"
2006-06-23 05:34:30 228864 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2006-06-23 05:34:16 167936 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2006-06-23 05:34:06 81920 ( A.... ) "C:\WINDOWS\system32\admparse.dll"
2006-06-23 05:34:06 50688 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2006-06-23 05:34:02 372736 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2006-06-23 05:33:42 54272 ( A.... ) "C:\WINDOWS\system32\iesetup.dll"
2006-06-23 05:33:22 41984 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2006-06-23 05:33:00 121856 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2006-06-23 05:30:22 11776 ( ..... ) "C:\WINDOWS\system32\msfeedssync.exe"
2006-06-23 05:29:56 55296 ( ..... ) "C:\WINDOWS\system32\icardie.dll"
2006-06-23 05:29:22 35328 ( A.... ) "C:\WINDOWS\system32\imgutil.dll"
2006-06-23 05:27:56 251392 ( ..... ) "C:\WINDOWS\system32\iertutil.dll"
2006-06-23 05:26:52 45568 ( A.... ) "C:\WINDOWS\system32\mshta.exe"
2006-06-23 04:46:30 377856 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2006-06-23 04:45:30 48640 ( A.... ) "C:\WINDOWS\system32\mshtmler.dll"
2006-06-23 04:41:42 172032 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2006-06-20 10:29:30 139264 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-06-20 09:46:40 ( .D... ) "C:\Program Files\GIMP-2.0"
2006-06-20 09:46:00 ( .D... ) "C:\Program Files\Common Files\GTK"
2006-06-20 09:31:24 ( .D... ) "C:\Program Files\Warcraft III"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 15:18:34 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-06-19 15:18:16 23552 ( ..... ) "C:\WINDOWS\system32\idndl.dll"
2006-06-19 15:18:16 20480 ( ..... ) "C:\WINDOWS\system32\normaliz.dll"
2006-06-19 13:38:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\teamspeak2"
2006-06-19 13:38:08 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Xfire"
2006-06-19 11:45:50 ( .DS.. ) "C:\Program Files\Xfire"
2006-06-19 11:28:08 ( .D... ) "C:\Program Files\Teamspeak2_RC2"
2006-06-18 21:10:34 ( .D... ) "C:\Program Files\Creative"
2006-06-18 20:52:06 ( .D... ) "C:\Program Files\Google"
2006-06-18 20:52:04 ( .D... ) "C:\Program Files\WinZip"
2006-06-18 20:16:42 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Macromedia"
2006-06-18 20:16:20 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Yahoo!"
2006-06-18 20:15:28 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-18 20:15:18 ( .D... ) "C:\Program Files\SBC Self Support Tool"
2006-06-18 19:57:38 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-18 19:54:58 ( .D... ) "C:\Program Files\BroadJump"
2006-06-18 18:29:48 ( .D... ) "C:\Program Files\EA GAMES"
2006-06-18 18:21:30 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-18 18:20:30 ( .D... ) "C:\Program Files\Common Files\Ahead"
2006-06-18 18:20:28 ( .D... ) "C:\Program Files\Ahead"
2006-06-18 18:16:50 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ATI"
2006-06-18 18:12:18 ( .D... ) "C:\Program Files\ATI Technologies"
2006-06-18 18:08:50 ( .D... ) "C:\Program Files\Realtek Sound Manager"
2006-06-18 18:08:48 ( .D... ) "C:\Program Files\AvRack"
2006-06-18 18:07:34 ( .D... ) "C:\Program Files\Marvell"
2006-06-18 18:05:48 ( .D... ) "C:\Program Files\Intel"
2006-06-18 18:05:06 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-06-18 18:05:02 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-06-18 17:46:50 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-18 17:46:44 ( .DS.. ) "C:\Documents and Settings\Grant\Application Data\Microsoft"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\xerox"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-06-18 17:41:30 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-18 17:40:10 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-06-18 17:39:12 ( .D... ) "C:\Program Files\Common Files\Services"
2006-06-18 17:39:08 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-06-18 17:38:56 ( .D... ) "C:\Program Files\Movie Maker"
2006-06-18 17:38:44 ( .D... ) "C:\Program Files\NetMeeting"
2006-06-18 17:38:42 ( .D... ) "C:\Program Files\Outlook Express"
2006-06-18 17:38:30 ( .D... ) "C:\Program Files\Common Files\System"
2006-06-18 17:38:28 ( .D... ) "C:\Program Files\Internet Explorer"
2006-06-18 17:37:58 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Online Services"
2006-06-18 17:37:40 ( .D... ) "C:\Program Files\Messenger"
2006-06-18 17:37:36 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-06-18 17:36:56 ( .D... ) "C:\Program Files\MSN"
2006-06-18 17:36:54 ( .D... ) "C:\Program Files\Windows NT"
2006-06-18 12:29:40 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-06-18 12:29:38 ( AD... ) "C:\Program Files\Common Files"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-06-18 12:29:10 62 ( A.SH. ) "C:\Documents and Settings\Grant\Application Data\desktop.ini"
2006-06-18 08:54:08 36864 ( A.... ) "C:\WINDOWS\system32\frapsvid.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-31 04:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 03:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-04 14:14 805,306,368 C:\pagefile.sys
2006-08-04 13:17 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-04 13:17 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-08-03 20:29 125 C:\WINDOWS\gywmi.dll
2006-08-03 20:25 536,399,872 C:\hiberfil.sys
2006-08-03 19:17 57,344 C:\WINDOWS\ddhb.exe
2006-08-03 19:14 40,973 C:\WINDOWS\system32\urqqnom.dll
2006-08-03 19:14 10,752 C:\WINDOWS\system32\ismon.exe
2006-08-03 16:06 117,760 C:\WINDOWS\system32\xmllite.dll
2006-08-03 15:05 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-03 15:05 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-02 19:08 61,952 C:\WINDOWS\system32\iqh30f52.dll
2006-08-01 11:41 44,544 C:\WINDOWS\system32\msxml4a.dll
2006-07-28 15:14 53,248 C:\WINDOWS\system32\Process.exe
2006-07-28 15:14 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-28 15:14 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-28 15:14 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-28 10:27 2 C:\WINDOWS\system32\wnstssu.exe
2006-07-28 09:36 573,492 C:\WINDOWS\system32\mljjg.dll
2006-07-28 09:31 8,704 C:\WINDOWS\system32\SpOrder.dll
2006-07-28 09:31 6,144 C:\WINDOWS\system32\stera.exe
2006-07-28 09:24 40,973 C:\WINDOWS\system32\ddcbbab.dll
2006-07-28 09:24 1,167 C:\WINDOWS\system32\iqh30f52.sys
2006-07-27 22:46 171,008 C:\WINDOWS\system32\LXAESUI.DLL
2006-07-26 10:50 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-26 10:50 49,248 C:\WINDOWS\system32\java.exe
2006-07-26 10:50 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-09 11:19 94,208 C:\WINDOWS\system32\HPZipt12.dll
2006-07-09 11:19 69,632 C:\WINDOWS\system32\HPZipm12.exe
2006-07-09 11:19 61,440 C:\WINDOWS\system32\HPZinw12.exe
2006-07-09 11:19 57,344 C:\WINDOWS\system32\HPZisn12.dll
2006-07-09 11:19 278,584 C:\WINDOWS\system32\HPZidr12.dll
2006-07-09 11:19 204,800 C:\WINDOWS\system32\HPZipr12.dll
2006-07-08 15:20 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-08 15:20 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-08 15:20 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-07-08 15:20 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-08 15:20 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-08 15:20 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-08 15:20 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-08 15:20 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-08 15:20 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-08 15:20 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-07 08:44 4,682 C:\WINDOWS\system32\npptNT2.sys
2006-06-26 19:01 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-06-25 18:14 92,208 C:\WINDOWS\system32\WING.DLL
2006-06-25 18:14 27,136 C:\WINDOWS\system32\WAVMIX16.DLL
2006-06-25 18:14 188,960 C:\WINDOWS\system32\WINGDE.DLL
2006-06-25 18:14 12,800 C:\WINDOWS\system32\WING32.DLL
2006-06-25 18:13 297,472 C:\WINDOWS\uninst.exe
2006-06-23 09:28 5,512,704 C:\WINDOWS\system32\ieframe.dll
2006-06-23 09:28 47,616 C:\WINDOWS\system32\msfeedsbs.dll
2006-06-23 09:28 454,144 C:\WINDOWS\system32\msfeeds.dll
2006-06-23 09:28 179,200 C:\WINDOWS\system32\ieui.dll
2006-06-23 05:41 172,544 C:\WINDOWS\system32\WinFXDocObj.exe
2006-06-23 05:30 11,776 C:\WINDOWS\system32\msfeedssync.exe
2006-06-23 05:29 55,296 C:\WINDOWS\system32\icardie.dll
2006-06-23 05:27 251,392 C:\WINDOWS\system32\iertutil.dll
2006-06-23 04:46 377,856 C:\WINDOWS\system32\ieapfltr.dll
2006-06-20 09:37 139,264 C:\WINDOWS\War3Unin.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"iqh30f52"="RUNDLL32.EXE w0184b8b.dll,n 00230f500000000a0184b8b"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Steam"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Oror"="\"C:\\PROGRA~1\\COMMON~1\\SMBOLS~1\\userinit.exe\" -vt yazr"
"Lqy"="C:\\DOCUME~1\\Grant\\APPLIC~1\\SSEMBL~1\\explorer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{B886F5A2-0A77-1033-0307-050308140001}"="\"C:\\Program Files\\Common Files\\{B886F5A2-0A77-1033-0307-050308140001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Fri 08/04/2006 14:31:25.87
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-04.142744.txt




Logfile of HijackThis v1.99.1
Scan saved at 2:37:16 PM, on 8/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\Rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\COMMON~1\SMBOLS~1\userinit.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\DOCUME~1\Grant\LOCALS~1\Temp\b103.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O1 - Hosts: 69.60.124.19 L2authd.lineage2.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [iqh30f52] RUNDLL32.EXE w0184b8b.dll,n 00230f500000000a0184b8b
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Oror] "C:\PROGRA~1\COMMON~1\SMBOLS~1\userinit.exe" -vt yazr
O4 - HKCU\..\Run: [Lqy] C:\DOCUME~1\Grant\APPLIC~1\SSEMBL~1\explorer.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm473YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
This space will eventually have something very cool to fill it up, but not right now.

#4 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:34 AM

Posted 04 August 2006 - 02:54 PM

Hey there Zen00,

1) It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please set your system to show hidden files; please see here if you're unsure how to do this.

2) Please run the uninstaller by using the tutorial found here:
http://www.outerinfo.com/howto.html
Then Reboot! (v.important)

3) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - HKLM\..\Run: [iqh30f52] RUNDLL32.EXE w0184b8b.dll,n 00230f500000000a0184b8b
O4 - HKCU\..\Run: [Oror] "C:\PROGRA~1\COMMON~1\SMBOLS~1\userinit.exe" -vt yazr
O4 - HKCU\..\Run: [Lqy] C:\DOCUME~1\Grant\APPLIC~1\SSEMBL~1\explorer.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/...?p=ZRxdm473YYUS
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.mmohsix.com
O23 - Service: Firewall service (FWSvc) - Unknown owner - C:\Program Files\WinAntiVirus Pro 2006\FWSvc.exe (file missing)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

4) Open notepad and copy and paste next in it:

sc delete FWSvc

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and let the program run.

5) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

6) Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\system32\w0184b8b.dll
C:\WINDOWS\gywmi.dll
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe
C:\WINDOWS\ddhb.exe
C:\WINDOWS\system32\wnstssu.exe
C:\WINDOWS\system32\urqqnom.dll
C:\WINDOWS\system32\iqh30f52.dll
C:\WINDOWS\system32\iqh30f52.sys
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\ddcbbab.dll
C:\WINDOWS\ddhb.exe
C:\WINDOWS\system32\stera.exe


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

7) After the reboot please search and delete the following folders:

C:\Documents and Settings\Grant\Application Data\?ssembly <---this folder will look like assembly but a letter from the acrylic alphabet will fill the question mark. Only delete the folder that was created on the "2006-08-03". It will contain explorer.exe.

C:\Program Files\Common Files\s?mbols <---this folder will look like symbols but a letter from the acrylic alphabet will fill the question mark. Only delete the folder that was created on the "2006-08-03". It will contain userinit.exe.

C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}

8) Please download SmitfraudFix (by S!Ri)
  • Extract the content (a folder named SmitfraudFix) to your Desktop.
  • Open the SmitfraudFix folder and double-click smitfraudfix.cmd
  • Select option #1 - Search by typing 1, and press Enter.
  • A text file will appear, which lists infected files (if present).
  • Please copy/paste the content of that report into your next reply.
  • Note : process.exe is detected by some antivirus programs as a "RiskTool"; it is not a virus, but a program used to stop system processes.
Please post back with a new Hijackthis log, Combofix log and the smitfraudfix log.

David

#5 Zen00

Zen00
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 05 August 2006 - 12:38 AM

Allright, here's the results. Step one/two, I opened hidden files for viewing, then ran the outer info thingy, no hitches. Step three, I ran the hijackthis, but ran into some problems. Whenever I tried to delete the startup/global startup.protected programs, it would tell me they were in use, and deny me access to it, and no matter how many times I deleted the 023 entry, it would come back each time I scanned. Step four/five/six, ran all programs, had no problems, one of these steps stopped a pop up saying a certain w014somethingish.dll was missing. Step seven, couldn't find C:\Program Files\Common Files\s?mbols and C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001} wouldn't let me delete it, said it was in use. Step eight, ran fine.


SmitFraudFix v2.79

Scan done at 0:34:43.95, Sat 08/05/2006
Run from C:\Documents and Settings\Grant\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

C:\


C:\WINDOWS

C:\WINDOWS\.protected FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32

C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

C:\Documents and Settings\Grant\Application Data


Start Menu

C:\DOCUME~1\Grant\STARTM~1\Programs\Startup\.protected FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\.protected FOUND !

C:\DOCUME~1\Grant\FAVORI~1

C:\DOCUME~1\Grant\FAVORI~1\Antivirus Test Online.url FOUND !

Desktop


C:\Program Files


Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Scanning wininet.dll infection


End






Logfile of HijackThis v1.99.1
Scan saved at 12:35:35 AM, on 8/5/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=552...cid={SUB_CLCID}
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O1 - Hosts: 69.60.124.19 L2authd.lineage2.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe






Start Time= Sat 08/05/2006 0:36:21.92
Running from: C:\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-04 14:34:12 ( .D... ) "C:\Program Files\InetGet2"
2006-08-04 13:17:42 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-04 13:07:50 125 ( ..... ) "C:\WINDOWS\gywmi.dll"
2006-08-03 19:55:40 10752 ( ..... ) "C:\WINDOWS\system32\ismon.exe"
2006-08-03 19:17:48 175362 ( ..... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-08-03 19:17:10 57344 ( ..... ) "C:\WINDOWS\ddhb.exe"
2006-08-03 19:14:38 40973 ( ..... ) "C:\WINDOWS\system32\urqqnom.dll"
2006-08-03 15:35:36 ( .D... ) "C:\Program Files\HijackThis"
2006-08-03 15:27:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-03 14:32:18 ( .D... ) "C:\Program Files\Roguescanfix"
2006-08-03 12:46:50 ( .D... ) "C:\Program Files\Steam"
2006-08-02 19:34:28 61952 ( ..... ) "C:\WINDOWS\system32\iqh30f52.dll"
2006-08-02 19:34:28 1167 ( ..... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:34:28 1167 ( ..... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:08:32 ( .D... ) "C:\Program Files\License_Manager"
2006-08-01 11:40:50 ( .D... ) "C:\Program Files\Activision"
2006-07-30 18:20:38 ( .D... ) "C:\Program Files\Microprose"
2006-07-30 18:19:12 ( .D... ) "C:\Program Files\VentSrv"
2006-07-30 13:51:16 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ahead"
2006-07-30 13:43:36 ( .D... ) "C:\Program Files\Photo Story 3 for Windows"
2006-07-29 21:20:26 ( .D... ) "C:\Program Files\MAIET"
2006-07-28 15:04:10 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-28 15:00:36 ( .D... ) "C:\Program Files\Windows Defender"
2006-07-28 14:54:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Lavasoft"
2006-07-28 14:54:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-28 13:42:00 ( .D... ) "C:\Program Files\Common Files\Companion Wizard"
2006-07-28 10:49:12 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Sun"
2006-07-28 09:36:10 573492 ( ..... ) "C:\WINDOWS\system32\mljjg.dll"
2006-07-28 09:24:30 ( .D... ) "C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}"
2006-07-28 09:24:20 40973 ( ..... ) "C:\WINDOWS\system32\ddcbbab.dll"
2006-07-27 21:53:08 ( .D... ) "C:\Program Files\Call of Duty Game of the Year Edition"
2006-07-26 10:49:34 ( .D... ) "C:\Program Files\Java"
2006-07-26 10:47:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-26 10:45:46 ( .D... ) "C:\Program Files\Azureus"
2006-07-26 10:36:58 ( .D... ) "C:\Program Files\BitTorrent"
2006-07-22 14:46:44 ( .D... ) "C:\Program Files\Sony"
2006-07-16 22:22:24 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ScanSoft"
2006-07-16 22:18:58 ( .D... ) "C:\Program Files\Common Files\Scansoft Shared"
2006-07-16 22:11:58 ( .D... ) "C:\Program Files\ScanSoft"
2006-07-16 10:17:54 ( .D... ) "C:\Program Files\Shockwave.com"
2006-07-15 21:32:08 ( .D... ) "C:\Program Files\Foolish Entertainment"
2006-07-14 03:33:36 ( .D... ) "C:\Program Files\QuickTime"
2006-07-09 20:23:12 ( .D... ) "C:\Program Files\WinRAR"
2006-07-09 11:25:04 ( .D... ) "C:\Program Files\Common Files\HP"
2006-07-09 11:23:08 ( .D... ) "C:\Program Files\Hewlett-Packard"
2006-07-09 11:22:26 ( .D... ) "C:\Program Files\Common Files\Hewlett-Packard"
2006-07-09 11:17:50 ( .D... ) "C:\Program Files\HP"
2006-07-08 01:10:12 ( .D... ) "C:\Program Files\CCleaner"
2006-07-07 07:48:16 ( .D... ) "C:\Program Files\Infogrames Interactive"
2006-07-06 18:33:28 ( .D... ) "C:\Program Files\Ventrilo"
2006-07-06 18:33:18 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-07-05 19:38:02 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-05 19:35:14 ( .D... ) "C:\Program Files\America's Army Server Manager"
2006-07-05 19:31:56 ( .D... ) "C:\Program Files\America's Army"
2006-07-04 23:55:46 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ventrilo"
2006-07-04 23:52:10 ( .D... ) "C:\Program Files\Lineage II"
2006-07-03 14:29:06 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-02 19:34:00 ( .D... ) "C:\Program Files\Anarchy"
2006-06-26 18:53:14 ( .D... ) "C:\Program Files\Microsoft Games"
2006-06-25 16:30:34 ( .D... ) "C:\Program Files\SimTheme Park"
2006-06-23 20:23:00 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Motive"
2006-06-23 09:28:56 5512704 ( ..... ) "C:\WINDOWS\system32\ieframe.dll"
2006-06-23 09:28:56 454144 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2006-06-23 09:28:56 413696 ( A.... ) "C:\WINDOWS\system32\vbscript.dll"
2006-06-23 09:28:56 223744 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2006-06-23 09:28:56 179200 ( ..... ) "C:\WINDOWS\system32\ieui.dll"
2006-06-23 09:28:56 155648 ( A.... ) "C:\WINDOWS\system32\msls31.dll"
2006-06-23 09:28:56 47616 ( ..... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2006-06-23 05:41:42 172544 ( ..... ) "C:\WINDOWS\system32\WinFXDocObj.exe"
2006-06-23 05:40:44 78848 ( A.... ) "C:\WINDOWS\system32\ieencode.dll"
2006-06-23 05:40:04 40960 ( A.... ) "C:\WINDOWS\system32\url.dll"
2006-06-23 05:39:52 39424 ( A.... ) "C:\WINDOWS\system32\licmgr10.dll"
2006-06-23 05:39:08 99328 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2006-06-23 05:37:18 14336 ( A.... ) "C:\WINDOWS\system32\corpol.dll"
2006-06-23 05:34:30 228864 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2006-06-23 05:34:16 167936 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2006-06-23 05:34:06 81920 ( A.... ) "C:\WINDOWS\system32\admparse.dll"
2006-06-23 05:34:06 50688 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2006-06-23 05:34:02 372736 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2006-06-23 05:33:42 54272 ( A.... ) "C:\WINDOWS\system32\iesetup.dll"
2006-06-23 05:33:22 41984 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2006-06-23 05:33:00 121856 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2006-06-23 05:30:22 11776 ( ..... ) "C:\WINDOWS\system32\msfeedssync.exe"
2006-06-23 05:29:56 55296 ( ..... ) "C:\WINDOWS\system32\icardie.dll"
2006-06-23 05:29:22 35328 ( A.... ) "C:\WINDOWS\system32\imgutil.dll"
2006-06-23 05:27:56 251392 ( ..... ) "C:\WINDOWS\system32\iertutil.dll"
2006-06-23 05:26:52 45568 ( A.... ) "C:\WINDOWS\system32\mshta.exe"
2006-06-23 04:46:30 377856 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2006-06-23 04:45:30 48640 ( A.... ) "C:\WINDOWS\system32\mshtmler.dll"
2006-06-23 04:41:42 172032 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2006-06-20 10:29:30 139264 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-06-20 09:46:40 ( .D... ) "C:\Program Files\GIMP-2.0"
2006-06-20 09:46:00 ( .D... ) "C:\Program Files\Common Files\GTK"
2006-06-20 09:31:24 ( .D... ) "C:\Program Files\Warcraft III"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 15:18:34 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-06-19 15:18:16 23552 ( ..... ) "C:\WINDOWS\system32\idndl.dll"
2006-06-19 15:18:16 20480 ( ..... ) "C:\WINDOWS\system32\normaliz.dll"
2006-06-19 13:38:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\teamspeak2"
2006-06-19 13:38:08 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Xfire"
2006-06-19 11:45:50 ( .DS.. ) "C:\Program Files\Xfire"
2006-06-19 11:28:08 ( .D... ) "C:\Program Files\Teamspeak2_RC2"
2006-06-18 21:10:34 ( .D... ) "C:\Program Files\Creative"
2006-06-18 20:52:06 ( .D... ) "C:\Program Files\Google"
2006-06-18 20:52:04 ( .D... ) "C:\Program Files\WinZip"
2006-06-18 20:16:42 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Macromedia"
2006-06-18 20:16:20 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Yahoo!"
2006-06-18 20:15:28 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-18 20:15:18 ( .D... ) "C:\Program Files\SBC Self Support Tool"
2006-06-18 19:57:38 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-18 19:54:58 ( .D... ) "C:\Program Files\BroadJump"
2006-06-18 18:29:48 ( .D... ) "C:\Program Files\EA GAMES"
2006-06-18 18:21:30 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-18 18:20:30 ( .D... ) "C:\Program Files\Common Files\Ahead"
2006-06-18 18:20:28 ( .D... ) "C:\Program Files\Ahead"
2006-06-18 18:16:50 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ATI"
2006-06-18 18:12:18 ( .D... ) "C:\Program Files\ATI Technologies"
2006-06-18 18:08:50 ( .D... ) "C:\Program Files\Realtek Sound Manager"
2006-06-18 18:08:48 ( .D... ) "C:\Program Files\AvRack"
2006-06-18 18:07:34 ( .D... ) "C:\Program Files\Marvell"
2006-06-18 18:05:48 ( .D... ) "C:\Program Files\Intel"
2006-06-18 18:05:06 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-06-18 18:05:02 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-06-18 17:46:50 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-18 17:46:44 ( .DS.. ) "C:\Documents and Settings\Grant\Application Data\Microsoft"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\xerox"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-06-18 17:41:30 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-18 17:40:10 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-06-18 17:39:12 ( .D... ) "C:\Program Files\Common Files\Services"
2006-06-18 17:39:08 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-06-18 17:38:56 ( .D... ) "C:\Program Files\Movie Maker"
2006-06-18 17:38:44 ( .D... ) "C:\Program Files\NetMeeting"
2006-06-18 17:38:42 ( .D... ) "C:\Program Files\Outlook Express"
2006-06-18 17:38:30 ( .D... ) "C:\Program Files\Common Files\System"
2006-06-18 17:38:28 ( .D... ) "C:\Program Files\Internet Explorer"
2006-06-18 17:37:58 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Online Services"
2006-06-18 17:37:40 ( .D... ) "C:\Program Files\Messenger"
2006-06-18 17:37:36 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-06-18 17:36:56 ( .D... ) "C:\Program Files\MSN"
2006-06-18 17:36:54 ( .D... ) "C:\Program Files\Windows NT"
2006-06-18 12:29:40 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-06-18 12:29:38 ( AD... ) "C:\Program Files\Common Files"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-06-18 12:29:10 62 ( A.SH. ) "C:\Documents and Settings\Grant\Application Data\desktop.ini"
2006-06-18 08:54:08 36864 ( A.... ) "C:\WINDOWS\system32\frapsvid.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-31 04:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 03:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-04 14:14 805,306,368 C:\pagefile.sys
2006-08-04 13:17 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-04 13:17 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-08-03 20:29 125 C:\WINDOWS\gywmi.dll
2006-08-03 20:25 536,399,872 C:\hiberfil.sys
2006-08-03 19:17 57,344 C:\WINDOWS\ddhb.exe
2006-08-03 19:14 40,973 C:\WINDOWS\system32\urqqnom.dll
2006-08-03 19:14 10,752 C:\WINDOWS\system32\ismon.exe
2006-08-03 16:06 117,760 C:\WINDOWS\system32\xmllite.dll
2006-08-03 15:05 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-03 15:05 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-02 19:08 61,952 C:\WINDOWS\system32\iqh30f52.dll
2006-08-01 11:41 44,544 C:\WINDOWS\system32\msxml4a.dll
2006-07-28 15:14 53,248 C:\WINDOWS\system32\Process.exe
2006-07-28 15:14 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-28 15:14 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-28 15:14 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-28 09:36 573,492 C:\WINDOWS\system32\mljjg.dll
2006-07-28 09:31 8,704 C:\WINDOWS\system32\SpOrder.dll
2006-07-28 09:31 6,144 C:\WINDOWS\system32\stera.exe
2006-07-28 09:24 40,973 C:\WINDOWS\system32\ddcbbab.dll
2006-07-28 09:24 1,167 C:\WINDOWS\system32\iqh30f52.sys
2006-07-27 22:46 171,008 C:\WINDOWS\system32\LXAESUI.DLL
2006-07-26 10:50 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-26 10:50 49,248 C:\WINDOWS\system32\java.exe
2006-07-26 10:50 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-09 11:19 94,208 C:\WINDOWS\system32\HPZipt12.dll
2006-07-09 11:19 69,632 C:\WINDOWS\system32\HPZipm12.exe
2006-07-09 11:19 61,440 C:\WINDOWS\system32\HPZinw12.exe
2006-07-09 11:19 57,344 C:\WINDOWS\system32\HPZisn12.dll
2006-07-09 11:19 278,584 C:\WINDOWS\system32\HPZidr12.dll
2006-07-09 11:19 204,800 C:\WINDOWS\system32\HPZipr12.dll
2006-07-08 15:20 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-08 15:20 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-08 15:20 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-07-08 15:20 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-08 15:20 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-08 15:20 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-08 15:20 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-08 15:20 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-08 15:20 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-08 15:20 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-07 08:44 4,682 C:\WINDOWS\system32\npptNT2.sys
2006-06-26 19:01 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-06-25 18:14 92,208 C:\WINDOWS\system32\WING.DLL
2006-06-25 18:14 27,136 C:\WINDOWS\system32\WAVMIX16.DLL
2006-06-25 18:14 188,960 C:\WINDOWS\system32\WINGDE.DLL
2006-06-25 18:14 12,800 C:\WINDOWS\system32\WING32.DLL
2006-06-25 18:13 297,472 C:\WINDOWS\uninst.exe
2006-06-23 09:28 5,512,704 C:\WINDOWS\system32\ieframe.dll
2006-06-23 09:28 47,616 C:\WINDOWS\system32\msfeedsbs.dll
2006-06-23 09:28 454,144 C:\WINDOWS\system32\msfeeds.dll
2006-06-23 09:28 179,200 C:\WINDOWS\system32\ieui.dll
2006-06-23 05:41 172,544 C:\WINDOWS\system32\WinFXDocObj.exe
2006-06-23 05:30 11,776 C:\WINDOWS\system32\msfeedssync.exe
2006-06-23 05:29 55,296 C:\WINDOWS\system32\icardie.dll
2006-06-23 05:27 251,392 C:\WINDOWS\system32\iertutil.dll
2006-06-23 04:46 377,856 C:\WINDOWS\system32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Steam"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{B886F5A2-0A77-1033-0307-050308140001}"="\"C:\\Program Files\\Common Files\\{B886F5A2-0A77-1033-0307-050308140001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Sat 08/05/2006 0:36:55.17
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-04.142744.txt
ComboFix.2006-08-05.003621.txt
This space will eventually have something very cool to fill it up, but not right now.

#6 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:34 AM

Posted 05 August 2006 - 02:26 AM

Hello there,
Let's remove those annoying "O4 - Startup: .protected"'s before we continue.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Once in Safe Mode, open the SmitfraudFix folder again.
  • Double-click smitfraudfix.cmd.
  • Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
  • You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
  • The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
  • The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
  • A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
  • The report can also be found at the root of the system drive, usually at C:\rapport.txt
  • Warning : running option #2 on a non infected computer will remove your Desktop background.
Also, open up Killbox again. Click File -> Logs -> Actions History Log
Post this log in your next reply.
David

#7 Zen00

Zen00
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 05 August 2006 - 01:13 PM

Allrighty then, did as you said, and all of the sudden there's this new thing on my computer called Mirar, and whenever I go to a new web page, it gives me an error with a really long path name, saying it couldn't be found, it also shows up in my tool bar menu as 'relate page' and whenever I click to make it non-visible, it won't disappear. Logs below.


Pocket Killbox version 2.0.0.648
Running on Windows XP as Grant(Administrator)
was started @ Saturday, August 05, 2006, 12:14 AM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\gywmi.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\ismon.exe


# 3 [Delete on Reboot]
Path = C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe


# 4 [Delete on Reboot]
Path = C:\WINDOWS\ddhb.exe


# 5 [Delete on Reboot]
Path = C:\WINDOWS\system32\urqqnom.dll


# 6 [Delete on Reboot]
Path = C:\WINDOWS\system32\iqh30f52.dll


# 7 [Delete on Reboot]
Path = C:\WINDOWS\system32\iqh30f52.sys


# 8 [Delete on Reboot]
Path = C:\WINDOWS\system32\mljjg.dll


# 9 [Delete on Reboot]
Path = C:\WINDOWS\system32\ddcbbab.dll


# 10 [Delete on Reboot]
Path = C:\WINDOWS\system32\stera.exe


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:17:11 AM
Killbox Closed(Exit) @ 12:17:35 AM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Grant(Administrator)
was started @ Saturday, August 05, 2006, 1:09 PM






SmitFraudFix v2.79

Scan done at 13:04:42.01, Sat 08/05/2006
Run from C:\Documents and Settings\Grant\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

Killing process


Generic Renos Fix

GenericRenosFix by S!Ri


Deleting infected files

C:\WINDOWS\.protected Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
\.protected Deleted

Deleting Temp Files


Registry Cleaning

Registry Cleaning done.

After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


End

Edited by Zen00, 05 August 2006 - 01:15 PM.

This space will eventually have something very cool to fill it up, but not right now.

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:34 AM

Posted 05 August 2006 - 03:17 PM

Ok, Let's continue Zen00,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Please download Ewido Anti-Spyware and save the file to your desktop.
This is a free 30 day trial version of the program.
  • Locate the icon on your desktop and double click it to open the set-up program.
  • Follow the instructions on screen to install Ewido.
  • Run the program and you will meet the main screen.
  • Select the icon "Update" then select the "Update now" link
  • Next click the "Start Update" button; a progress bar will show the updates being installed.
  • Now select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
  • Click on "Recommended actions" and then select "Quarantine".
  • Close the program now, we will be running a scan a bit later.
  • You can go ahead and delete the old setup file from your desktop.
Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Using Windows Explorer, please locate the following files/folders, and delete them if still present:
  • Launch Ewido by double clicking on the icon on your desktop.
  • Select the "Scanner" icon at the top and then the "Scan" tab.
  • Then click on the "Complete System Scan" button.
  • If you have any infections you will be asked for an action - select "apply all actions".
  • Now select the "Reports" icon at the top.
  • Click "Save Report As" and save the text file to your desktop.
  • Close Ewido and reboot back into normal mode.
Please post the results of the Ewido scan in this thread. Also post a new Combofix log and a new Hijackthis log.
David

#9 Zen00

Zen00
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 06 August 2006 - 01:09 PM

I finished your instructions. I ran Hijackthis again to save a file of the programs, but it didn't pop up a file this time again. I ran Ewido in safe mode and deleted some stuff, but when I tried to save a report, the save button was greyed out, and I couldn't use it. (In safe mode, the program uses up more than the whole screen for some reason, and there's no toolbar visible, except as a grey line at the bottom of the screen) Also for some reason, my documents keeps popping up at each windows startup.



Start Time= Sun 08/06/2006 13:02:45.81
Running from: C:\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-05 19:51:26 ( .D... ) "C:\Program Files\Warsow"
2006-08-04 13:17:42 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-04 13:07:50 125 ( ..... ) "C:\WINDOWS\gywmi.dll"
2006-08-03 19:17:48 175362 ( ..... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-08-03 19:14:38 40973 ( ..... ) "C:\WINDOWS\system32\urqqnom.dll"
2006-08-03 15:35:36 ( .D... ) "C:\Program Files\HijackThis"
2006-08-03 15:27:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-03 14:32:18 ( .D... ) "C:\Program Files\Roguescanfix"
2006-08-03 12:46:50 ( .D... ) "C:\Program Files\Steam"
2006-08-02 19:34:28 61952 ( ..... ) "C:\WINDOWS\system32\iqh30f52.dll"
2006-08-02 19:34:28 1167 ( ..... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:34:28 1167 ( ..... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:08:32 ( .D... ) "C:\Program Files\License_Manager"
2006-08-01 11:40:50 ( .D... ) "C:\Program Files\Activision"
2006-07-30 18:20:38 ( .D... ) "C:\Program Files\Microprose"
2006-07-30 18:19:12 ( .D... ) "C:\Program Files\VentSrv"
2006-07-30 13:51:16 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ahead"
2006-07-30 13:43:36 ( .D... ) "C:\Program Files\Photo Story 3 for Windows"
2006-07-29 21:20:26 ( .D... ) "C:\Program Files\MAIET"
2006-07-28 15:04:10 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-28 15:00:36 ( .D... ) "C:\Program Files\Windows Defender"
2006-07-28 14:54:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Lavasoft"
2006-07-28 14:54:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-28 13:42:00 ( .D... ) "C:\Program Files\Common Files\Companion Wizard"
2006-07-28 10:49:12 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Sun"
2006-07-28 09:36:10 573492 ( ..... ) "C:\WINDOWS\system32\mljjg.dll"
2006-07-28 09:24:30 ( .D... ) "C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}"
2006-07-28 09:24:20 40973 ( ..... ) "C:\WINDOWS\system32\ddcbbab.dll"
2006-07-27 21:53:08 ( .D... ) "C:\Program Files\Call of Duty Game of the Year Edition"
2006-07-26 10:49:34 ( .D... ) "C:\Program Files\Java"
2006-07-26 10:47:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-26 10:45:46 ( .D... ) "C:\Program Files\Azureus"
2006-07-26 10:36:58 ( .D... ) "C:\Program Files\BitTorrent"
2006-07-22 14:46:44 ( .D... ) "C:\Program Files\Sony"
2006-07-16 22:22:24 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ScanSoft"
2006-07-16 22:18:58 ( .D... ) "C:\Program Files\Common Files\Scansoft Shared"
2006-07-16 22:11:58 ( .D... ) "C:\Program Files\ScanSoft"
2006-07-16 10:17:54 ( .D... ) "C:\Program Files\Shockwave.com"
2006-07-15 21:32:08 ( .D... ) "C:\Program Files\Foolish Entertainment"
2006-07-14 03:33:36 ( .D... ) "C:\Program Files\QuickTime"
2006-07-09 20:23:12 ( .D... ) "C:\Program Files\WinRAR"
2006-07-09 11:25:04 ( .D... ) "C:\Program Files\Common Files\HP"
2006-07-09 11:23:08 ( .D... ) "C:\Program Files\Hewlett-Packard"
2006-07-09 11:22:26 ( .D... ) "C:\Program Files\Common Files\Hewlett-Packard"
2006-07-09 11:17:50 ( .D... ) "C:\Program Files\HP"
2006-07-08 01:10:12 ( .D... ) "C:\Program Files\CCleaner"
2006-07-07 07:48:16 ( .D... ) "C:\Program Files\Infogrames Interactive"
2006-07-06 18:33:28 ( .D... ) "C:\Program Files\Ventrilo"
2006-07-06 18:33:18 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-07-05 19:38:02 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-05 19:35:14 ( .D... ) "C:\Program Files\America's Army Server Manager"
2006-07-05 19:31:56 ( .D... ) "C:\Program Files\America's Army"
2006-07-04 23:55:46 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ventrilo"
2006-07-04 23:52:10 ( .D... ) "C:\Program Files\Lineage II"
2006-07-03 14:29:06 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-02 19:34:00 ( .D... ) "C:\Program Files\Anarchy"
2006-06-26 18:53:14 ( .D... ) "C:\Program Files\Microsoft Games"
2006-06-25 16:30:34 ( .D... ) "C:\Program Files\SimTheme Park"
2006-06-23 20:23:00 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Motive"
2006-06-23 09:28:56 5512704 ( ..... ) "C:\WINDOWS\system32\ieframe.dll"
2006-06-23 09:28:56 454144 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2006-06-23 09:28:56 413696 ( A.... ) "C:\WINDOWS\system32\vbscript.dll"
2006-06-23 09:28:56 223744 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2006-06-23 09:28:56 179200 ( ..... ) "C:\WINDOWS\system32\ieui.dll"
2006-06-23 09:28:56 155648 ( A.... ) "C:\WINDOWS\system32\msls31.dll"
2006-06-23 09:28:56 47616 ( ..... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2006-06-23 05:41:42 172544 ( ..... ) "C:\WINDOWS\system32\WinFXDocObj.exe"
2006-06-23 05:40:44 78848 ( A.... ) "C:\WINDOWS\system32\ieencode.dll"
2006-06-23 05:40:04 40960 ( A.... ) "C:\WINDOWS\system32\url.dll"
2006-06-23 05:39:52 39424 ( A.... ) "C:\WINDOWS\system32\licmgr10.dll"
2006-06-23 05:39:08 99328 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2006-06-23 05:37:18 14336 ( A.... ) "C:\WINDOWS\system32\corpol.dll"
2006-06-23 05:34:30 228864 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2006-06-23 05:34:16 167936 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2006-06-23 05:34:06 81920 ( A.... ) "C:\WINDOWS\system32\admparse.dll"
2006-06-23 05:34:06 50688 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2006-06-23 05:34:02 372736 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2006-06-23 05:33:42 54272 ( A.... ) "C:\WINDOWS\system32\iesetup.dll"
2006-06-23 05:33:22 41984 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2006-06-23 05:33:00 121856 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2006-06-23 05:30:22 11776 ( ..... ) "C:\WINDOWS\system32\msfeedssync.exe"
2006-06-23 05:29:56 55296 ( ..... ) "C:\WINDOWS\system32\icardie.dll"
2006-06-23 05:29:22 35328 ( A.... ) "C:\WINDOWS\system32\imgutil.dll"
2006-06-23 05:27:56 251392 ( ..... ) "C:\WINDOWS\system32\iertutil.dll"
2006-06-23 05:26:52 45568 ( A.... ) "C:\WINDOWS\system32\mshta.exe"
2006-06-23 04:46:30 377856 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2006-06-23 04:45:30 48640 ( A.... ) "C:\WINDOWS\system32\mshtmler.dll"
2006-06-23 04:41:42 172032 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2006-06-20 10:29:30 139264 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-06-20 09:46:40 ( .D... ) "C:\Program Files\GIMP-2.0"
2006-06-20 09:46:00 ( .D... ) "C:\Program Files\Common Files\GTK"
2006-06-20 09:31:24 ( .D... ) "C:\Program Files\Warcraft III"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 15:18:34 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-06-19 15:18:16 23552 ( ..... ) "C:\WINDOWS\system32\idndl.dll"
2006-06-19 15:18:16 20480 ( ..... ) "C:\WINDOWS\system32\normaliz.dll"
2006-06-19 13:38:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\teamspeak2"
2006-06-19 13:38:08 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Xfire"
2006-06-19 11:45:50 ( .DS.. ) "C:\Program Files\Xfire"
2006-06-19 11:28:08 ( .D... ) "C:\Program Files\Teamspeak2_RC2"
2006-06-18 21:10:34 ( .D... ) "C:\Program Files\Creative"
2006-06-18 20:52:06 ( .D... ) "C:\Program Files\Google"
2006-06-18 20:52:04 ( .D... ) "C:\Program Files\WinZip"
2006-06-18 20:16:42 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Macromedia"
2006-06-18 20:16:20 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Yahoo!"
2006-06-18 20:15:28 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-18 20:15:18 ( .D... ) "C:\Program Files\SBC Self Support Tool"
2006-06-18 19:57:38 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-18 19:54:58 ( .D... ) "C:\Program Files\BroadJump"
2006-06-18 18:29:48 ( .D... ) "C:\Program Files\EA GAMES"
2006-06-18 18:21:30 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-18 18:20:30 ( .D... ) "C:\Program Files\Common Files\Ahead"
2006-06-18 18:20:28 ( .D... ) "C:\Program Files\Ahead"
2006-06-18 18:16:50 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ATI"
2006-06-18 18:12:18 ( .D... ) "C:\Program Files\ATI Technologies"
2006-06-18 18:08:50 ( .D... ) "C:\Program Files\Realtek Sound Manager"
2006-06-18 18:08:48 ( .D... ) "C:\Program Files\AvRack"
2006-06-18 18:07:34 ( .D... ) "C:\Program Files\Marvell"
2006-06-18 18:05:48 ( .D... ) "C:\Program Files\Intel"
2006-06-18 18:05:06 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-06-18 18:05:02 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-06-18 17:46:50 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-18 17:46:44 ( .DS.. ) "C:\Documents and Settings\Grant\Application Data\Microsoft"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\xerox"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-06-18 17:41:30 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-18 17:40:10 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-06-18 17:39:12 ( .D... ) "C:\Program Files\Common Files\Services"
2006-06-18 17:39:08 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-06-18 17:38:56 ( .D... ) "C:\Program Files\Movie Maker"
2006-06-18 17:38:44 ( .D... ) "C:\Program Files\NetMeeting"
2006-06-18 17:38:42 ( .D... ) "C:\Program Files\Outlook Express"
2006-06-18 17:38:30 ( .D... ) "C:\Program Files\Common Files\System"
2006-06-18 17:38:28 ( .D... ) "C:\Program Files\Internet Explorer"
2006-06-18 17:37:58 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Online Services"
2006-06-18 17:37:40 ( .D... ) "C:\Program Files\Messenger"
2006-06-18 17:37:36 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-06-18 17:36:56 ( .D... ) "C:\Program Files\MSN"
2006-06-18 17:36:54 ( .D... ) "C:\Program Files\Windows NT"
2006-06-18 12:29:40 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-06-18 12:29:38 ( AD... ) "C:\Program Files\Common Files"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-06-18 12:29:10 62 ( A.SH. ) "C:\Documents and Settings\Grant\Application Data\desktop.ini"
2006-06-18 08:54:08 36864 ( A.... ) "C:\WINDOWS\system32\frapsvid.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-31 04:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 03:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-06 12:14 536,399,872 C:\hiberfil.sys
2006-08-04 14:14 805,306,368 C:\pagefile.sys
2006-08-04 13:17 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-04 13:17 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-08-03 20:29 125 C:\WINDOWS\gywmi.dll
2006-08-03 19:14 40,973 C:\WINDOWS\system32\urqqnom.dll
2006-08-03 16:06 117,760 C:\WINDOWS\system32\xmllite.dll
2006-08-03 15:05 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-03 15:05 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-02 19:08 61,952 C:\WINDOWS\system32\iqh30f52.dll
2006-08-01 11:41 44,544 C:\WINDOWS\system32\msxml4a.dll
2006-07-28 15:14 53,248 C:\WINDOWS\system32\Process.exe
2006-07-28 15:14 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-28 15:14 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-28 15:14 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-28 09:36 573,492 C:\WINDOWS\system32\mljjg.dll
2006-07-28 09:31 8,704 C:\WINDOWS\system32\SpOrder.dll
2006-07-28 09:31 6,144 C:\WINDOWS\system32\stera.exe
2006-07-28 09:24 40,973 C:\WINDOWS\system32\ddcbbab.dll
2006-07-28 09:24 1,167 C:\WINDOWS\system32\iqh30f52.sys
2006-07-27 22:46 171,008 C:\WINDOWS\system32\LXAESUI.DLL
2006-07-26 10:50 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-26 10:50 49,248 C:\WINDOWS\system32\java.exe
2006-07-26 10:50 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-09 11:19 94,208 C:\WINDOWS\system32\HPZipt12.dll
2006-07-09 11:19 69,632 C:\WINDOWS\system32\HPZipm12.exe
2006-07-09 11:19 61,440 C:\WINDOWS\system32\HPZinw12.exe
2006-07-09 11:19 57,344 C:\WINDOWS\system32\HPZisn12.dll
2006-07-09 11:19 278,584 C:\WINDOWS\system32\HPZidr12.dll
2006-07-09 11:19 204,800 C:\WINDOWS\system32\HPZipr12.dll
2006-07-08 15:20 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-08 15:20 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-08 15:20 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-07-08 15:20 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-08 15:20 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-08 15:20 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-08 15:20 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-08 15:20 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-08 15:20 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-08 15:20 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-07 08:44 4,682 C:\WINDOWS\system32\npptNT2.sys
2006-06-26 19:01 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll
2006-06-25 18:14 92,208 C:\WINDOWS\system32\WING.DLL
2006-06-25 18:14 27,136 C:\WINDOWS\system32\WAVMIX16.DLL
2006-06-25 18:14 188,960 C:\WINDOWS\system32\WINGDE.DLL
2006-06-25 18:14 12,800 C:\WINDOWS\system32\WING32.DLL
2006-06-25 18:13 297,472 C:\WINDOWS\uninst.exe
2006-06-23 09:28 5,512,704 C:\WINDOWS\system32\ieframe.dll
2006-06-23 09:28 47,616 C:\WINDOWS\system32\msfeedsbs.dll
2006-06-23 09:28 454,144 C:\WINDOWS\system32\msfeeds.dll
2006-06-23 09:28 179,200 C:\WINDOWS\system32\ieui.dll
2006-06-23 05:41 172,544 C:\WINDOWS\system32\WinFXDocObj.exe
2006-06-23 05:30 11,776 C:\WINDOWS\system32\msfeedssync.exe
2006-06-23 05:29 55,296 C:\WINDOWS\system32\icardie.dll
2006-06-23 05:27 251,392 C:\WINDOWS\system32\iertutil.dll
2006-06-23 04:46 377,856 C:\WINDOWS\system32\ieapfltr.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMan"="SOUNDMAN.EXE"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Yahoo! Pager"="1"
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Steam"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{B886F5A2-0A77-1033-0307-050308140001}"="\"C:\\Program Files\\Common Files\\{B886F5A2-0A77-1033-0307-050308140001}\\Update.exe\" mc-110-12-0000272"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Sun 08/06/2006 13:03:18.87
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt






Logfile of HijackThis v1.99.1
Scan saved at 1:08:00 PM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}\Update.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\GMUD\GMUD32.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O1 - Hosts: 69.60.124.19 L2authd.lineage2.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SSBkgdUpdate] C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe -Embedding -boot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
This space will eventually have something very cool to fill it up, but not right now.

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:34 AM

Posted 06 August 2006 - 02:41 PM

Hey there Zen00,

I want to give one more go at deleting the files before we try an alternative.
I think something might be blocking our fix, as tyhe first regedit didn't work.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.
  • Open Windows Defender.
  • Click on Tools, General Settings.
  • Scroll down and uncheck Turn on real-time protection (recommended).
  • After you uncheck this, click on the Save button and close Windows Defender.
After all of the fixes are complete it is very important that you enable Real-time Protection again.

2) Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\gywmi.dll
C:\WINDOWS\system32\urqqnom.dll
C:\WINDOWS\system32\iqh30f52.dll
C:\WINDOWS\system32\iqh30f52.sys
C:\WINDOWS\system32\mljjg.dll
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}\update.exe
C:\WINDOWS\system32\ddcbbab.dll


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

3) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=-

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

4) Find and delete this folder:
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}

5) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB58.dll (file missing)
O4 - Startup: .protected
O4 - Global Startup: .protected
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

6) Open notepad and copy and paste next in it:

if exist %systemdrive%\look.txt del %systemdrive%\look.txt
reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall" >> %systemdrive%\look.txt
cd\
cd %appdata%
dir /ad /o:-d /p >> %systemdrive%\look.txt
cd %allusersprofile%\Application Data
dir /ad /o:-d /p >> %systemdrive%\look.txt
cd %ProgramFiles%
dir /ad /o:-d /p >> %systemdrive%\look.txt
cd %ProgramFiles%\Common Files
dir /ad /o:-d /p >> %systemdrive%\look.txt
start notepad %systemdrive%\look.txt

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick look.bat and copy the contents of the text file that opens back here.

Please post back with a new Hijackthis log, Combofix and the look.bat output.
David

Edited by D-Trojanator, 06 August 2006 - 02:42 PM.


#11 Zen00

Zen00
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 06 August 2006 - 10:16 PM

Step One: Ran fine.
Step Two: Got one of those pending prompts, for C:\WINDOWS\system32\ddcbbab.dll I think?
Step Three: Ran fine.
Step Four: Couldn't delete the file, said its contents were in use.
Step Five: The .protecteds still won't die.
Step Six: Ran fine.

Thanks for spending so much time on this stuff for me, I hope that we'll eventually be able to lick this viral stuff. :thumbsup:




! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Ad-Aware SE Personal

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AddressBook

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Shockwave Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\AgeOfCastles

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\All ATI Software

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ATC for Battlefield 2_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ATI Display Driver

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\avast!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Azureus

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Backyard Baseball 2001

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BitTorrent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Branding

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BroadJump Client Foundation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CADI

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Call of Duty

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Call of Duty Game of the Year Edition

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CCleaner

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Connection Manager

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Audio Device Selection

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative MediaSource

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative MediaSource CD-ROM Burner Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative MediaSource Detector

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative MediaSource Go!

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative MediaSource MiniDisc Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative MediaSource Player Skin Pack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Music Store Plugin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative Restore Defaults

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Creative WaveStudio

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Device Control

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Diagnostics 4_5

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectAnimation

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DirectDrawEx

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DXM_Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EAX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\EliteMediaGroupOin

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Empires Demo MP

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Equalizer

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ewidoantispyware4

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fontcore

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Fraps

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Google Desktop

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Gunz

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HijackThis

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HP Photo & Imaging

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\HPExtendedCapabilities

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ICW

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE40

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE4Data

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IE5BAKEX

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ie7beta3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IEData

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield Uninstall Information

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{06F80017-8F98-4C94-B868-52358569FC32}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\InstallShield_{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB873339

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885835

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB885836

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB886185

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887472

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB887742

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888113

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB888302

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890046

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB890859

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB891781

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893756

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB893803v2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB894391

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896358

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896422

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896423

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896424

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB896428

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB898461

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899587

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899589

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB899591

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB900485

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB900725

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB901017

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB901214

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB902400

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB904706

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB904942

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB905414

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB905749

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB908519

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB908531

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB910437

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911280

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911562

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911564

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911567

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB911927

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB912919

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB913580

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB914388

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB914389

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB914440

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB915865

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB916281

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB916595

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917159

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917283.T1_1ToU93_1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917344

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917734_WMP10

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB917953

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\KB918439

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft .NET Framework 2.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MobileOptionPack

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Monopoly 3

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MPlayer2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-Beta2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30-RC2

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI30a-KB884016

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-Beta

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MSI31-RC1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MsJavaVM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Nero - Burning Rom!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroMultiInstaller!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NeroVision!UninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NetMeeting

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NMPUninstallKey

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\OutlookExpress

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Panda ActiveScan

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PCHealth

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Risk II

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Roguescanfix_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Self Support Tool

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC Yahoo! Applications

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SBC.MCCInstall

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SchedulingAgent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SFBM

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Shockwave

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ShockwaveFlash

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Simtowerv1.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Smart Recorder

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sound Blaster Audigy

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Sound Blaster Audigy Windows Drivers

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SPEAKER

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Spybot - Search & Destroy_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Steam

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SURMIXER

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SysInfo

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Teamspeak 2 RC2_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Theme Park World

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WgaNotify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Format Runtime

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Windows Media Player

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinGimp-2.0_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinGTK-2_is1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinRAR archiver

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\WinZip

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Xfire

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Yahoo! Toolbar

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{04858915-9F49-4B2A-AED4-DC49A7DE6A7B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{06F80017-8F98-4C94-B868-52358569FC32}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{076A6FD8-EE45-4A83-B3C9-C7C34E7CAFDD}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0AD84416-63A4-4CF3-BDDF-8FA866711FB0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0B095086-7205-4D48-90DF-DCD16613C6D4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0BEDBD4E-2D34-47B5-9973-57E62B29307C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{0DC86BEC-5CE3-413A-BB61-C40A3D186B24}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{103BCDA0-E063-46AC-8028-64E78722ABA7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{14BEB6DF-A499-4A38-8E06-E173BCD5C087}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{17293791-C82E-476C-9997-9A0FF234A19B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{181821B7-82AA-44DA-9DAF-EF254CCB670A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1AD5F465-8282-4DAD-B957-E09C0B783D18}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B1DDAD2-C704-49F8-8FC2-18DAAD9A87C5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{1B680FBA-E317-4E93-AF43-3B59798A4BE0}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{20FBC0A0-3160-4F14-83ED-3A74BB6B8C31}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2318C2B1-4965-11d4-9B18-009027A5CD4F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2616B36E-38CE-4357-8AB5-8B3EE9B1C117}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{272EC8BA-5A08-4ea1-A189-684466A06B02}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E0C1913-886B-4C5C-8DAF-D1E649CE5FCC}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{2E8428AD-6CD2-4031-916A-3CF9BBF2DEC9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3248F0A8-6813-11D6-A77B-00B0D0150060}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{32B4B536-4443-42F0-9676-98373BE9114F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{342C7C88-D335-4bc2-8CF1-281857629CE2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{34EBD418-B8E6-4E86-89C4-33B72CF5663F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3762DB2D-71BD-421F-9E55-C74DA7DF4D07}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{391E18CE-7D3B-45E9-A8F0-34E77F14F47A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3947442A-1409-45fc-A885-FB1CF937675D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3EA9D975-BFDC-4E8E-B88B-0446FBC8CA66}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{442BE28B-782B-4DC0-B490-E70A403B1C69}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4F41AD68-89F2-4262-A32C-2F70B01FCE9E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{50D4CB89-AF34-4978-96DC-C3034062E901}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{52338F65-A1C3-4CDC-B733-50051682B297}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{569A9538-86EC-44C3-8EE4-C68B165F2A75}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5B17E626-7885-4FC3-A66A-73548A4F01FD}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5CDDF96A-BC34-4D72-9ABA-E1FFF0C39977}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{5E8D588F-307C-4250-B622-26969027319A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{63A317D0-60A6-43FC-848A-9FE4A53B29CE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{644D04A2-C682-4FD5-977D-03B804C4B9C5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{646A65DD-23FC-418E-B9F0-E0500FB42CB1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{64FC0C98-B035-4530-B15D-3D30610B6DF1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{655CB07D-C944-40BE-B93F-55957CAC7625}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{68963635-14A4-48D9-B431-DF3A74D1AAE1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6C5930D1-E4BC-4A10-AB5A-224C48CBA7E6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{6FCF73B3-E810-442C-A013-4456DBC2C2FE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{700932B3-A964-4878-82A2-96054622A1F7}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{700A6597-3CE6-49C1-AA75-846B24CDA66D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7131646D-CD3C-40F4-97B9-CD9E4E6262EF}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{724517BD-1DE1-4986-BFCA-C1DFD379E3BC}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{73919E2B-725C-4FAA-8473-45E063A3575F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{789289CA-F73A-4A16-A331-54D498CE069F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7AD25C9F-9957-4D1C-95EF-9BCD09F6D31B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7AFFF09F-386B-4F7A-B3E0-EC24C13893AA}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{7B9CC60A-9B81-46A3-A953-76B6BF9EEC97}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{836612F0-1571-4C65-A4B7-58A39AA578EE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{84CDF5A8-1D57-4B69-BAB6-1F11D8923375}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{84F573D3-0F71-4768-978A-D35310E3FBA6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{85CFD253-38AE-4DB1-ACB7-F0F4C791990D}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{85DD724B-15E5-4572-81BF-CF9031D83848}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8777AC6D-89F9-4793-8266-DE406F343E89}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8A3F2ADE-DEF2-4A50-866A-6B9357B5590F}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8BC3B99B-A6BE-4A0B-8535-B1B94BA4B1B1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{8C3727F2-8E37-49E4-820C-03B1677F53B6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{9194237B-7B58-40B4-A739-184AD59531A2}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A07BAED2-DA9A-436A-83F1-80BA23FA9E4B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5B9D22C-755A-4AC6-9904-875E80838BB6}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A5CC2A09-E9D3-49EC-923D-03874BBD4C2C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{A82F10CB-18B5-4EAC-AEF2-FA49CD565626}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2D7CE29-614A-4ACC-8BFE-009EB3A244C9}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B911B811-BA3E-46D4-90F8-6F3338359651}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD29EBAC-AD7D-4b27-B727-4CC6AC52D36B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{BD6928A2-9F8F-4AA7-9A3A-FD4A271712EE}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C21D5524-A970-42FA-AC8A-59B8C7CDCA31}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C30C5DEF-9BB0-4E2A-AFE2-B5844FE4485A}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C950420B-4182-49EA-850A-A6A2ABF06C6B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CB99E420-8071-48F9-9567-4A53BE7569C4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CDFCF124-115F-4976-8BF4-08C89187A146}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{CE0C8CC5-E396-442B-A50E-D1D374A9E820}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DAAC5938-8026-4D0C-A476-D1954917B7F5}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DDDD0C4B-57F7-4A85-ACF0-DB3FC8F1DBB4}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DE4A4C48-2232-4CCB-AD61-490ACD29BA85}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{DE66E6E1-BFBC-4586-A03C-686598F4CA3C}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E8650C8D-CCB2-496E-816C-ECC54A7EE411}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FB08F381-6533-4108-B7DD-039E11FBC27E}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{FC22D020-3005-4715-8DF9-F3EDE81DEB3D}
Volume in drive C has no label.
Volume Serial Number is B886-F5A2

Directory of C:\Documents and Settings\Grant\Application Data

08/05/2006 12:24 AM <DIR> ..
08/05/2006 12:24 AM <DIR> .
07/30/2006 01:51 PM <DIR> Ahead
07/28/2006 02:54 PM <DIR> Lavasoft
07/28/2006 10:49 AM <DIR> Sun
07/23/2006 11:16 PM <DIR> Microsoft
07/16/2006 10:22 PM <DIR> ScanSoft
07/12/2006 10:27 PM <DIR> Macromedia
07/05/2006 12:06 AM <DIR> Ventrilo
06/23/2006 08:22 PM <DIR> Motive
06/19/2006 01:38 PM <DIR> teamspeak2
06/19/2006 01:38 PM <DIR> Xfire
06/18/2006 08:16 PM <DIR> Yahoo!
06/18/2006 06:16 PM <DIR> ATI
0 File(s) 0 bytes
14 Dir(s) 32,923,885,568 bytes free
Volume in drive C has no label.
Volume Serial Number is B886-F5A2

Directory of C:\Documents and Settings\All Users\Application Data

08/03/2006 07:56 PM <DIR> Spybot - Search & Destroy
08/03/2006 03:39 PM <DIR> ..
08/03/2006 03:39 PM <DIR> .
07/30/2006 06:22 PM <DIR> Trymedia
07/28/2006 04:40 PM <DIR> STOPzilla!
07/28/2006 03:00 PM <DIR> Microsoft
07/16/2006 10:27 PM <DIR> InstallShield
07/16/2006 10:18 PM <DIR> ScanSoft
07/14/2006 03:37 AM <DIR> Apple Computer
07/09/2006 11:26 AM <DIR> HP
07/02/2006 04:52 PM <DIR> PopCap
06/30/2006 09:07 AM <DIR> Windows Genuine Advantage
06/18/2006 08:17 PM <DIR> Yahoo! Companion
06/18/2006 08:15 PM <DIR> Motive
06/18/2006 08:11 PM <DIR> yahoo!
06/18/2006 06:20 PM <DIR> Ahead
0 File(s) 0 bytes
16 Dir(s) 32,923,885,568 bytes free
Volume in drive C has no label.
Volume Serial Number is B886-F5A2

Directory of C:\Program Files

08/06/2006 08:20 PM <DIR> Steam
08/06/2006 07:33 PM <DIR> Warcraft III
08/06/2006 05:20 PM <DIR> InetGet2
08/06/2006 05:11 PM <DIR> ..
08/06/2006 05:11 PM <DIR> .
08/06/2006 03:45 PM <DIR> Lineage II
08/06/2006 12:29 PM <DIR> ewido anti-spyware 4.0
08/05/2006 07:54 PM <DIR> Warsow
08/05/2006 02:50 PM <DIR> VentSrv
08/05/2006 12:25 AM <DIR> Common Files
08/04/2006 01:17 PM <DIR> Alwil Software
08/04/2006 10:50 AM <DIR> Call of Duty Game of the Year Edition
08/03/2006 07:57 PM <DIR> Spybot - Search & Destroy
08/03/2006 04:34 PM <DIR> America's Army Server Manager
08/03/2006 04:11 PM <DIR> Internet Explorer
08/03/2006 03:35 PM <DIR> HijackThis
08/03/2006 02:33 PM <DIR> Roguescanfix
08/03/2006 08:26 AM <DIR> Xfire
08/02/2006 09:37 PM <DIR> License_Manager
08/01/2006 11:40 AM <DIR> Activision
07/30/2006 09:36 PM <DIR> InstallShield Installation Information
07/30/2006 06:20 PM <DIR> Microprose
07/30/2006 01:43 PM <DIR> Photo Story 3 for Windows
07/29/2006 09:20 PM <DIR> MAIET
07/28/2006 10:06 PM <DIR> Shockwave.com
07/28/2006 03:00 PM <DIR> Windows Defender
07/28/2006 02:54 PM <DIR> Lavasoft
07/26/2006 11:18 AM <DIR> microsoft frontpage
07/26/2006 10:55 AM <DIR> Azureus
07/26/2006 10:50 AM <DIR> Java
07/26/2006 10:37 AM <DIR> BitTorrent
07/22/2006 02:46 PM <DIR> Sony
07/16/2006 10:11 PM <DIR> ScanSoft
07/15/2006 09:32 PM <DIR> Foolish Entertainment
07/15/2006 08:07 PM <DIR> America's Army
07/15/2006 06:54 PM <DIR> EA GAMES
07/14/2006 11:07 PM <DIR> WinZip
07/14/2006 03:37 AM <DIR> QuickTime
07/09/2006 08:23 PM <DIR> WinRAR
07/09/2006 11:31 AM <DIR> GIMP-2.0
07/09/2006 11:26 AM <DIR> HP
07/09/2006 11:23 AM <DIR> Hewlett-Packard
07/08/2006 01:10 AM <DIR> CCleaner
07/07/2006 07:48 AM <DIR> Infogrames Interactive
07/06/2006 06:33 PM <DIR> Ventrilo
07/05/2006 07:38 PM <DIR> GameSpy Arcade
07/03/2006 02:29 PM <DIR> Firefly Studios
07/02/2006 07:33 PM <DIR> Anarchy
06/26/2006 06:53 PM <DIR> Microsoft Games
06/25/2006 04:32 PM <DIR> SimTheme Park
06/21/2006 01:15 PM <DIR> SBC Self Support Tool
06/20/2006 12:57 PM <DIR> MSN
06/19/2006 09:41 PM <DIR> Messenger
06/19/2006 09:41 PM <DIR> Windows Media Player
06/19/2006 09:39 PM <DIR> Outlook Express
06/19/2006 11:28 AM <DIR> Teamspeak2_RC2
06/19/2006 07:14 AM <DIR> Google
06/18/2006 09:20 PM <DIR> Creative
06/18/2006 08:16 PM <DIR> Yahoo!
06/18/2006 07:54 PM <DIR> BroadJump
06/18/2006 06:22 PM <DIR> Ahead
06/18/2006 06:15 PM <DIR> ATI Technologies
06/18/2006 06:08 PM <DIR> Realtek Sound Manager
06/18/2006 06:08 PM <DIR> AvRack
06/18/2006 06:07 PM <DIR> Marvell
06/18/2006 06:05 PM <DIR> Intel
06/18/2006 05:46 PM <DIR> Uninstall Information
06/18/2006 05:41 PM <DIR> xerox
06/18/2006 05:40 PM <DIR> WindowsUpdate
06/18/2006 05:40 PM <DIR> Online Services
06/18/2006 05:39 PM <DIR> NetMeeting
06/18/2006 05:38 PM <DIR> Movie Maker
06/18/2006 05:37 PM <DIR> ComPlus Applications
06/18/2006 05:37 PM <DIR> MSN Gaming Zone
06/18/2006 05:37 PM <DIR> Windows NT
0 File(s) 0 bytes
75 Dir(s) 32,923,881,472 bytes free
Volume in drive C has no label.
Volume Serial Number is B886-F5A2

Directory of C:\Program Files\Common Files

08/05/2006 12:25 AM <DIR> ..
08/05/2006 12:25 AM <DIR> .
08/03/2006 07:14 PM <DIR> {B886F5A2-0A77-1033-0307-050308140001}
07/30/2006 06:18 PM <DIR> Wise Installation Wizard
07/30/2006 01:43 PM <DIR> Microsoft Shared
07/28/2006 03:12 PM <DIR> Companion Wizard
07/26/2006 10:47 AM <DIR> Java
07/16/2006 10:18 PM <DIR> Scansoft Shared
07/16/2006 10:18 PM <DIR> InstallShield
07/09/2006 11:25 AM <DIR> HP
07/09/2006 11:22 AM <DIR> Hewlett-Packard
06/21/2006 01:15 PM <DIR> Motive
06/20/2006 09:45 AM <DIR> GTK
06/19/2006 09:39 PM <DIR> System
06/18/2006 06:21 PM <DIR> Nero
06/18/2006 06:20 PM <DIR> Ahead
06/18/2006 05:39 PM <DIR> Services
06/18/2006 05:39 PM <DIR> MSSoap
06/18/2006 12:29 PM <DIR> ODBC
06/18/2006 12:29 PM <DIR> SpeechEngines
0 File(s) 0 bytes
20 Dir(s) 32,923,869,184 bytes free






Logfile of HijackThis v1.99.1
Scan saved at 10:10:34 PM, on 8/6/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}\Update.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O1 - Hosts: 69.60.124.19 L2authd.lineage2.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: .protected
O4 - Global Startup: .protected
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe






Start Time= Sun 08/06/2006 22:11:08.28
Running from: C:\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-06 17:11:46 ( .D... ) "C:\Program Files\InetGet2"
2006-08-05 19:51:26 ( .D... ) "C:\Program Files\Warsow"
2006-08-04 13:17:42 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-04 13:07:50 125 ( ..... ) "C:\WINDOWS\gywmi.dll"
2006-08-03 19:17:48 175362 ( ..... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-08-03 19:14:38 40973 ( ..... ) "C:\WINDOWS\system32\urqqnom.dll"
2006-08-03 15:35:36 ( .D... ) "C:\Program Files\HijackThis"
2006-08-03 15:27:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-03 14:32:18 ( .D... ) "C:\Program Files\Roguescanfix"
2006-08-03 12:46:50 ( .D... ) "C:\Program Files\Steam"
2006-08-02 19:34:28 61952 ( ..... ) "C:\WINDOWS\system32\iqh30f52.dll"
2006-08-02 19:34:28 1167 ( ..... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:34:28 1167 ( ..... ) "C:\WINDOWS\system32\iqh30f52.sys"
2006-08-02 19:08:32 ( .D... ) "C:\Program Files\License_Manager"
2006-08-01 11:40:50 ( .D... ) "C:\Program Files\Activision"
2006-07-30 18:20:38 ( .D... ) "C:\Program Files\Microprose"
2006-07-30 18:19:12 ( .D... ) "C:\Program Files\VentSrv"
2006-07-30 13:51:16 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ahead"
2006-07-30 13:43:36 ( .D... ) "C:\Program Files\Photo Story 3 for Windows"
2006-07-29 21:20:26 ( .D... ) "C:\Program Files\MAIET"
2006-07-28 15:04:10 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-28 15:00:36 ( .D... ) "C:\Program Files\Windows Defender"
2006-07-28 14:54:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Lavasoft"
2006-07-28 14:54:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-28 13:42:00 ( .D... ) "C:\Program Files\Common Files\Companion Wizard"
2006-07-28 10:49:12 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Sun"
2006-07-28 09:36:10 573492 ( ..... ) "C:\WINDOWS\system32\mljjg.dll"
2006-07-28 09:24:30 ( .D... ) "C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}"
2006-07-28 09:24:20 40973 ( ..... ) "C:\WINDOWS\system32\ddcbbab.dll"
2006-07-27 21:53:08 ( .D... ) "C:\Program Files\Call of Duty Game of the Year Edition"
2006-07-26 10:49:34 ( .D... ) "C:\Program Files\Java"
2006-07-26 10:47:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-26 10:45:46 ( .D... ) "C:\Program Files\Azureus"
2006-07-26 10:36:58 ( .D... ) "C:\Program Files\BitTorrent"
2006-07-22 14:46:44 ( .D... ) "C:\Program Files\Sony"
2006-07-16 22:22:24 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ScanSoft"
2006-07-16 22:18:58 ( .D... ) "C:\Program Files\Common Files\Scansoft Shared"
2006-07-16 22:11:58 ( .D... ) "C:\Program Files\ScanSoft"
2006-07-16 10:17:54 ( .D... ) "C:\Program Files\Shockwave.com"
2006-07-15 21:32:08 ( .D... ) "C:\Program Files\Foolish Entertainment"
2006-07-14 03:33:36 ( .D... ) "C:\Program Files\QuickTime"
2006-07-09 20:23:12 ( .D... ) "C:\Program Files\WinRAR"
2006-07-09 11:25:04 ( .D... ) "C:\Program Files\Common Files\HP"
2006-07-09 11:23:08 ( .D... ) "C:\Program Files\Hewlett-Packard"
2006-07-09 11:22:26 ( .D... ) "C:\Program Files\Common Files\Hewlett-Packard"
2006-07-09 11:17:50 ( .D... ) "C:\Program Files\HP"
2006-07-08 01:10:12 ( .D... ) "C:\Program Files\CCleaner"
2006-07-07 07:48:16 ( .D... ) "C:\Program Files\Infogrames Interactive"
2006-07-06 18:33:28 ( .D... ) "C:\Program Files\Ventrilo"
2006-07-06 18:33:18 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-07-05 19:38:02 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-05 19:35:14 ( .D... ) "C:\Program Files\America's Army Server Manager"
2006-07-05 19:31:56 ( .D... ) "C:\Program Files\America's Army"
2006-07-04 23:55:46 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ventrilo"
2006-07-04 23:52:10 ( .D... ) "C:\Program Files\Lineage II"
2006-07-03 14:29:06 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-02 19:34:00 ( .D... ) "C:\Program Files\Anarchy"
2006-06-26 18:53:14 ( .D... ) "C:\Program Files\Microsoft Games"
2006-06-25 16:30:34 ( .D... ) "C:\Program Files\SimTheme Park"
2006-06-23 20:23:00 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Motive"
2006-06-23 09:28:56 5512704 ( ..... ) "C:\WINDOWS\system32\ieframe.dll"
2006-06-23 09:28:56 454144 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2006-06-23 09:28:56 413696 ( A.... ) "C:\WINDOWS\system32\vbscript.dll"
2006-06-23 09:28:56 223744 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2006-06-23 09:28:56 179200 ( ..... ) "C:\WINDOWS\system32\ieui.dll"
2006-06-23 09:28:56 155648 ( A.... ) "C:\WINDOWS\system32\msls31.dll"
2006-06-23 09:28:56 47616 ( ..... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2006-06-23 05:41:42 172544 ( ..... ) "C:\WINDOWS\system32\WinFXDocObj.exe"
2006-06-23 05:40:44 78848 ( A.... ) "C:\WINDOWS\system32\ieencode.dll"
2006-06-23 05:40:04 40960 ( A.... ) "C:\WINDOWS\system32\url.dll"
2006-06-23 05:39:52 39424 ( A.... ) "C:\WINDOWS\system32\licmgr10.dll"
2006-06-23 05:39:08 99328 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2006-06-23 05:37:18 14336 ( A.... ) "C:\WINDOWS\system32\corpol.dll"
2006-06-23 05:34:30 228864 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2006-06-23 05:34:16 167936 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2006-06-23 05:34:06 81920 ( A.... ) "C:\WINDOWS\system32\admparse.dll"
2006-06-23 05:34:06 50688 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2006-06-23 05:34:02 372736 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2006-06-23 05:33:42 54272 ( A.... ) "C:\WINDOWS\system32\iesetup.dll"
2006-06-23 05:33:22 41984 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2006-06-23 05:33:00 121856 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2006-06-23 05:30:22 11776 ( ..... ) "C:\WINDOWS\system32\msfeedssync.exe"
2006-06-23 05:29:56 55296 ( ..... ) "C:\WINDOWS\system32\icardie.dll"
2006-06-23 05:29:22 35328 ( A.... ) "C:\WINDOWS\system32\imgutil.dll"
2006-06-23 05:27:56 251392 ( ..... ) "C:\WINDOWS\system32\iertutil.dll"
2006-06-23 05:26:52 45568 ( A.... ) "C:\WINDOWS\system32\mshta.exe"
2006-06-23 04:46:30 377856 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2006-06-23 04:45:30 48640 ( A.... ) "C:\WINDOWS\system32\mshtmler.dll"
2006-06-23 04:41:42 172032 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2006-06-20 10:29:30 139264 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-06-20 09:46:40 ( .D... ) "C:\Program Files\GIMP-2.0"
2006-06-20 09:46:00 ( .D... ) "C:\Program Files\Common Files\GTK"
2006-06-20 09:31:24 ( .D... ) "C:\Program Files\Warcraft III"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 15:18:34 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-06-19 15:18:16 23552 ( ..... ) "C:\WINDOWS\system32\idndl.dll"
2006-06-19 15:18:16 20480 ( ..... ) "C:\WINDOWS\system32\normaliz.dll"
2006-06-19 13:38:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\teamspeak2"
2006-06-19 13:38:08 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Xfire"
2006-06-19 11:45:50 ( .DS.. ) "C:\Program Files\Xfire"
2006-06-19 11:28:08 ( .D... ) "C:\Program Files\Teamspeak2_RC2"
2006-06-18 21:10:34 ( .D... ) "C:\Program Files\Creative"
2006-06-18 20:52:06 ( .D... ) "C:\Program Files\Google"
2006-06-18 20:52:04 ( .D... ) "C:\Program Files\WinZip"
2006-06-18 20:16:42 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Macromedia"
2006-06-18 20:16:20 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Yahoo!"
2006-06-18 20:15:28 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-18 20:15:18 ( .D... ) "C:\Program Files\SBC Self Support Tool"
2006-06-18 19:57:38 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-18 19:54:58 ( .D... ) "C:\Program Files\BroadJump"
2006-06-18 18:29:48 ( .D... ) "C:\Program Files\EA GAMES"
2006-06-18 18:21:30 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-18 18:20:30 ( .D... ) "C:\Program Files\Common Files\Ahead"
2006-06-18 18:20:28 ( .D... ) "C:\Program Files\Ahead"
2006-06-18 18:16:50 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ATI"
2006-06-18 18:12:18 ( .D... ) "C:\Program Files\ATI Technologies"
2006-06-18 18:08:50 ( .D... ) "C:\Program Files\Realtek Sound Manager"
2006-06-18 18:08:48 ( .D... ) "C:\Program Files\AvRack"
2006-06-18 18:07:34 ( .D... ) "C:\Program Files\Marvell"
2006-06-18 18:05:48 ( .D... ) "C:\Program Files\Intel"
2006-06-18 18:05:06 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-06-18 18:05:02 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-06-18 17:46:50 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-18 17:46:44 ( .DS.. ) "C:\Documents and Settings\Grant\Application Data\Microsoft"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\xerox"
20
This space will eventually have something very cool to fill it up, but not right now.

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:34 AM

Posted 07 August 2006 - 04:08 AM

Ok let's try a different method.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Please set your system to show all files.
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

2) Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

3) C:\WINDOWS\gywmi.dll
C:\WINDOWS\system32\urqqnom.dll
C:\WINDOWS\system32\iqh30f52.dll
C:\WINDOWS\system32\iqh30f52.sys
C:\WINDOWS\system32\mljjg.dll
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}\update.exe
C:\WINDOWS\system32\ddcbbab.dll
C:\WINDOWS\.protected
C:\Documents and Settings\Grant\Start Menu\Programs\Startup\.protected
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\.protected

4) Then, whilst still in safe mode delete this folder:
C:\Program Files\Common Files\{B886F5A2-0A77-1033-0307-050308140001}

5) Whilst still in safe mode, Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

6) Reboot back to normal mode and click on start, then control panel, and then double-click on add/remove programs. From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

EliteMediaGroupOin

7) Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

O4 - Startup: .protected
O4 - Global Startup: .protected


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Post back with a new Hijackthis log and combofix log.
David

#13 Zen00

Zen00
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 10 August 2006 - 11:02 AM

The only step I had problems with was number 3 (some clarification on what to do with the files might be needed, though I figured you wanted them deleted), as it is, these files wouldn't delete, and the .protected in the windows folder I couldn't find.

C:\WINDOWS\system32\urqqnom.dll
C:\WINDOWS\system32\ddcbbab.dll
C:\WINDOWS\.protected

Anyways, everything else went good.


Logfile of HijackThis v1.99.1
Scan saved at 10:54:00 AM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O1 - Hosts: 69.60.124.19 L2authd.lineage2.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe










Start Time= Thu 08/10/2006 10:55:15.85
Running from: C:\Downloads

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-10 10:45:54 183 ( A.... ) "C:\fix.reg"
2006-08-09 18:05:04 ( .D... ) "C:\Program Files\THQ"
2006-08-09 13:38:32 ( .D... ) "C:\Documents and Settings\Grant\Application Data\IGN_DLM"
2006-08-09 13:38:02 ( .D... ) "C:\Program Files\IGN"
2006-08-08 18:30:54 ( .D... ) "C:\Program Files\coldstorage"
2006-08-08 16:04:42 ( .D... ) "C:\Program Files\BitTorrent"
2006-08-08 13:15:08 ( .D... ) "C:\Documents and Settings\Grant\Application Data\BitTorrent"
2006-08-07 12:46:04 ( .D... ) "C:\Documents and Settings\Grant\Application Data\AdobeUM"
2006-08-07 12:34:14 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Azureus"
2006-08-06 22:27:42 1213 ( A.... ) "C:\Documents and Settings\Grant\Application Data\AdobeDLM.log"
2006-08-06 22:27:42 0 ( A.... ) "C:\Documents and Settings\Grant\Application Data\dm.ini"
2006-08-06 22:27:08 ( .D... ) "C:\Program Files\Adobe"
2006-08-06 22:23:38 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Adobe"
2006-08-06 22:23:34 ( .D... ) "C:\Program Files\Common Files\Adobe"
2006-08-06 17:11:46 ( .D... ) "C:\Program Files\InetGet2"
2006-08-05 19:51:26 ( .D... ) "C:\Program Files\Warsow"
2006-08-04 13:17:42 ( .D... ) "C:\Program Files\Alwil Software"
2006-08-03 19:17:48 175362 ( ..... ) "C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe"
2006-08-03 19:14:38 40973 ( ..... ) "C:\WINDOWS\system32\urqqnom.dll"
2006-08-03 15:35:36 ( .D... ) "C:\Program Files\HijackThis"
2006-08-03 15:27:50 ( .D... ) "C:\Program Files\Spybot - Search & Destroy"
2006-08-03 14:32:18 ( .D... ) "C:\Program Files\Roguescanfix"
2006-08-03 12:46:50 ( .D... ) "C:\Program Files\Steam"
2006-08-02 19:08:32 ( .D... ) "C:\Program Files\License_Manager"
2006-08-01 11:40:50 ( .D... ) "C:\Program Files\Activision"
2006-07-30 18:20:38 ( .D... ) "C:\Program Files\Microprose"
2006-07-30 18:19:12 ( .D... ) "C:\Program Files\VentSrv"
2006-07-30 13:51:16 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ahead"
2006-07-30 13:43:36 ( .D... ) "C:\Program Files\Photo Story 3 for Windows"
2006-07-29 21:20:26 ( .D... ) "C:\Program Files\MAIET"
2006-07-28 15:04:10 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-28 15:00:36 ( .D... ) "C:\Program Files\Windows Defender"
2006-07-28 14:54:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Lavasoft"
2006-07-28 14:54:18 ( .D... ) "C:\Program Files\Lavasoft"
2006-07-28 13:42:00 ( .D... ) "C:\Program Files\Common Files\Companion Wizard"
2006-07-28 10:49:12 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Sun"
2006-07-28 09:36:10 573492 ( ..... ) "C:\WINDOWS\system32\mljjg.dll"
2006-07-27 21:53:08 ( .D... ) "C:\Program Files\Call of Duty Game of the Year Edition"
2006-07-26 10:49:34 ( .D... ) "C:\Program Files\Java"
2006-07-26 10:47:56 ( .D... ) "C:\Program Files\Common Files\Java"
2006-07-26 10:45:46 ( .D... ) "C:\Program Files\Azureus"
2006-07-22 14:46:44 ( .D... ) "C:\Program Files\Sony"
2006-07-16 22:22:24 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ScanSoft"
2006-07-16 22:18:58 ( .D... ) "C:\Program Files\Common Files\Scansoft Shared"
2006-07-16 22:11:58 ( .D... ) "C:\Program Files\ScanSoft"
2006-07-16 10:17:54 ( .D... ) "C:\Program Files\Shockwave.com"
2006-07-15 21:32:08 ( .D... ) "C:\Program Files\Foolish Entertainment"
2006-07-14 10:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-14 03:33:36 ( .D... ) "C:\Program Files\QuickTime"
2006-07-09 20:23:12 ( .D... ) "C:\Program Files\WinRAR"
2006-07-09 11:25:04 ( .D... ) "C:\Program Files\Common Files\HP"
2006-07-09 11:23:08 ( .D... ) "C:\Program Files\Hewlett-Packard"
2006-07-09 11:22:26 ( .D... ) "C:\Program Files\Common Files\Hewlett-Packard"
2006-07-09 11:17:50 ( .D... ) "C:\Program Files\HP"
2006-07-08 01:10:12 ( .D... ) "C:\Program Files\CCleaner"
2006-07-07 07:48:16 ( .D... ) "C:\Program Files\Infogrames Interactive"
2006-07-06 18:33:28 ( .D... ) "C:\Program Files\Ventrilo"
2006-07-06 18:33:18 ( .D... ) "C:\Program Files\Common Files\Wise Installation Wizard"
2006-07-05 19:38:02 ( .D... ) "C:\Program Files\GameSpy Arcade"
2006-07-05 19:35:14 ( .D... ) "C:\Program Files\America's Army Server Manager"
2006-07-05 19:31:56 ( .D... ) "C:\Program Files\America's Army"
2006-07-04 23:55:46 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Ventrilo"
2006-07-04 23:52:10 ( .D... ) "C:\Program Files\Lineage II"
2006-07-03 14:29:06 ( .D... ) "C:\Program Files\Firefly Studios"
2006-07-02 19:34:00 ( .D... ) "C:\Program Files\Anarchy"
2006-06-26 18:53:14 ( .D... ) "C:\Program Files\Microsoft Games"
2006-06-25 16:30:34 ( .D... ) "C:\Program Files\SimTheme Park"
2006-06-23 20:23:00 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Motive"
2006-06-23 09:28:56 5512704 ( ..... ) "C:\WINDOWS\system32\ieframe.dll"
2006-06-23 09:28:56 454144 ( ..... ) "C:\WINDOWS\system32\msfeeds.dll"
2006-06-23 09:28:56 413696 ( A.... ) "C:\WINDOWS\system32\vbscript.dll"
2006-06-23 09:28:56 223744 ( A.... ) "C:\WINDOWS\system32\webcheck.dll"
2006-06-23 09:28:56 179200 ( ..... ) "C:\WINDOWS\system32\ieui.dll"
2006-06-23 09:28:56 155648 ( A.... ) "C:\WINDOWS\system32\msls31.dll"
2006-06-23 09:28:56 47616 ( ..... ) "C:\WINDOWS\system32\msfeedsbs.dll"
2006-06-23 05:41:42 172544 ( ..... ) "C:\WINDOWS\system32\WinFXDocObj.exe"
2006-06-23 05:40:44 78848 ( A.... ) "C:\WINDOWS\system32\ieencode.dll"
2006-06-23 05:40:04 40960 ( A.... ) "C:\WINDOWS\system32\url.dll"
2006-06-23 05:39:52 39424 ( A.... ) "C:\WINDOWS\system32\licmgr10.dll"
2006-06-23 05:39:08 99328 ( A.... ) "C:\WINDOWS\system32\occache.dll"
2006-06-23 05:37:18 14336 ( A.... ) "C:\WINDOWS\system32\corpol.dll"
2006-06-23 05:34:30 228864 ( A.... ) "C:\WINDOWS\system32\ieaksie.dll"
2006-06-23 05:34:16 167936 ( A.... ) "C:\WINDOWS\system32\ieakeng.dll"
2006-06-23 05:34:06 81920 ( A.... ) "C:\WINDOWS\system32\admparse.dll"
2006-06-23 05:34:06 50688 ( A.... ) "C:\WINDOWS\system32\ie4uinit.exe"
2006-06-23 05:34:02 372736 ( A.... ) "C:\WINDOWS\system32\iedkcs32.dll"
2006-06-23 05:33:42 54272 ( A.... ) "C:\WINDOWS\system32\iesetup.dll"
2006-06-23 05:33:22 41984 ( A.... ) "C:\WINDOWS\system32\iernonce.dll"
2006-06-23 05:33:00 121856 ( A.... ) "C:\WINDOWS\system32\advpack.dll"
2006-06-23 05:30:22 11776 ( ..... ) "C:\WINDOWS\system32\msfeedssync.exe"
2006-06-23 05:29:56 55296 ( ..... ) "C:\WINDOWS\system32\icardie.dll"
2006-06-23 05:29:22 35328 ( A.... ) "C:\WINDOWS\system32\imgutil.dll"
2006-06-23 05:27:56 251392 ( ..... ) "C:\WINDOWS\system32\iertutil.dll"
2006-06-23 05:26:52 45568 ( A.... ) "C:\WINDOWS\system32\mshta.exe"
2006-06-23 04:46:30 377856 ( ..... ) "C:\WINDOWS\system32\ieapfltr.dll"
2006-06-23 04:45:30 48640 ( A.... ) "C:\WINDOWS\system32\mshtmler.dll"
2006-06-23 04:41:42 172032 ( A.... ) "C:\WINDOWS\system32\ieakui.dll"
2006-06-20 10:29:30 139264 ( A.... ) "C:\WINDOWS\War3Unin.exe"
2006-06-20 09:46:40 ( .D... ) "C:\Program Files\GIMP-2.0"
2006-06-20 09:46:00 ( .D... ) "C:\Program Files\Common Files\GTK"
2006-06-20 09:31:24 ( .D... ) "C:\Program Files\Warcraft III"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 15:18:34 22752 ( A.... ) "C:\WINDOWS\system32\spupdsvc.exe"
2006-06-19 15:18:16 23552 ( ..... ) "C:\WINDOWS\system32\idndl.dll"
2006-06-19 15:18:16 20480 ( ..... ) "C:\WINDOWS\system32\normaliz.dll"
2006-06-19 13:38:26 ( .D... ) "C:\Documents and Settings\Grant\Application Data\teamspeak2"
2006-06-19 13:38:08 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Xfire"
2006-06-19 11:45:50 ( .DS.. ) "C:\Program Files\Xfire"
2006-06-19 11:28:08 ( .D... ) "C:\Program Files\Teamspeak2_RC2"
2006-06-18 21:10:34 ( .D... ) "C:\Program Files\Creative"
2006-06-18 20:52:06 ( .D... ) "C:\Program Files\Google"
2006-06-18 20:52:04 ( .D... ) "C:\Program Files\WinZip"
2006-06-18 20:16:42 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Macromedia"
2006-06-18 20:16:20 ( .D... ) "C:\Documents and Settings\Grant\Application Data\Yahoo!"
2006-06-18 20:15:28 ( .D... ) "C:\Program Files\Common Files\Motive"
2006-06-18 20:15:18 ( .D... ) "C:\Program Files\SBC Self Support Tool"
2006-06-18 19:57:38 ( .D... ) "C:\Program Files\Yahoo!"
2006-06-18 19:54:58 ( .D... ) "C:\Program Files\BroadJump"
2006-06-18 18:29:48 ( .D... ) "C:\Program Files\EA GAMES"
2006-06-18 18:21:30 ( .D... ) "C:\Program Files\Common Files\Nero"
2006-06-18 18:20:30 ( .D... ) "C:\Program Files\Common Files\Ahead"
2006-06-18 18:20:28 ( .D... ) "C:\Program Files\Ahead"
2006-06-18 18:16:50 ( .D... ) "C:\Documents and Settings\Grant\Application Data\ATI"
2006-06-18 18:12:18 ( .D... ) "C:\Program Files\ATI Technologies"
2006-06-18 18:08:50 ( .D... ) "C:\Program Files\Realtek Sound Manager"
2006-06-18 18:08:48 ( .D... ) "C:\Program Files\AvRack"
2006-06-18 18:07:34 ( .D... ) "C:\Program Files\Marvell"
2006-06-18 18:05:48 ( .D... ) "C:\Program Files\Intel"
2006-06-18 18:05:06 ( .D.H. ) "C:\Program Files\InstallShield Installation Information"
2006-06-18 18:05:02 ( .D... ) "C:\Program Files\Common Files\InstallShield"
2006-06-18 17:46:50 ( .D.H. ) "C:\Program Files\Uninstall Information"
2006-06-18 17:46:44 ( .DS.. ) "C:\Documents and Settings\Grant\Application Data\Microsoft"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\xerox"
2006-06-18 17:41:48 ( .D... ) "C:\Program Files\microsoft frontpage"
2006-06-18 17:41:30 0 ( A.... ) "C:\AUTOEXEC.BAT"
2006-06-18 17:40:10 ( .D.H. ) "C:\Program Files\WindowsUpdate"
2006-06-18 17:39:12 ( .D... ) "C:\Program Files\Common Files\Services"
2006-06-18 17:39:08 ( .D... ) "C:\Program Files\Common Files\MSSoap"
2006-06-18 17:38:56 ( .D... ) "C:\Program Files\Movie Maker"
2006-06-18 17:38:44 ( .D... ) "C:\Program Files\NetMeeting"
2006-06-18 17:38:42 ( .D... ) "C:\Program Files\Outlook Express"
2006-06-18 17:38:30 ( .D... ) "C:\Program Files\Common Files\System"
2006-06-18 17:38:28 ( .D... ) "C:\Program Files\Internet Explorer"
2006-06-18 17:37:58 ( .D... ) "C:\Program Files\ComPlus Applications"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Windows Media Player"
2006-06-18 17:37:46 ( .D... ) "C:\Program Files\Online Services"
2006-06-18 17:37:40 ( .D... ) "C:\Program Files\Messenger"
2006-06-18 17:37:36 ( .D... ) "C:\Program Files\MSN Gaming Zone"
2006-06-18 17:36:56 ( .D... ) "C:\Program Files\MSN"
2006-06-18 17:36:54 ( .D... ) "C:\Program Files\Windows NT"
2006-06-18 12:29:40 ( .D... ) "C:\Program Files\Common Files\ODBC"
2006-06-18 12:29:38 ( AD... ) "C:\Program Files\Common Files"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\SpeechEngines"
2006-06-18 12:29:38 ( .D... ) "C:\Program Files\Common Files\Microsoft Shared"
2006-06-18 12:29:10 62 ( A.SH. ) "C:\Documents and Settings\Grant\Application Data\desktop.ini"
2006-06-18 08:54:08 36864 ( A.... ) "C:\WINDOWS\system32\frapsvid.dll"
2006-05-31 07:24:16 230168 ( A.... ) "C:\WINDOWS\system32\xactengine2_2.dll"
2006-05-31 04:02:04 624640 ( A.... ) "C:\WINDOWS\system32\aswBoot.exe"
2006-05-31 03:54:36 90112 ( A.... ) "C:\WINDOWS\system32\AVASTSS.scr"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-10 10:47 536,399,872 C:\hiberfil.sys
2006-08-10 10:45 183 C:\fix.reg
2006-08-04 14:14 805,306,368 C:\pagefile.sys
2006-08-04 13:17 90,112 C:\WINDOWS\system32\AVASTSS.scr
2006-08-04 13:17 624,640 C:\WINDOWS\system32\aswBoot.exe
2006-08-03 19:14 40,973 C:\WINDOWS\system32\urqqnom.dll
2006-08-03 16:06 117,760 C:\WINDOWS\system32\xmllite.dll
2006-08-03 15:05 73,728 C:\WINDOWS\system32\asuninst.exe
2006-08-03 15:05 11,776 C:\WINDOWS\system32\ZPORT4AS.dll
2006-08-01 11:41 44,544 C:\WINDOWS\system32\msxml4a.dll
2006-07-28 15:14 53,248 C:\WINDOWS\system32\Process.exe
2006-07-28 15:14 42,496 C:\WINDOWS\system32\swreg.exe
2006-07-28 15:14 40,960 C:\WINDOWS\system32\swsc.exe
2006-07-28 15:14 288,417 C:\WINDOWS\system32\SrchSTS.exe
2006-07-28 09:36 573,492 C:\WINDOWS\system32\mljjg.dll
2006-07-28 09:31 8,704 C:\WINDOWS\system32\SpOrder.dll
2006-07-28 09:31 6,144 C:\WINDOWS\system32\stera.exe
2006-07-27 22:46 171,008 C:\WINDOWS\system32\LXAESUI.DLL
2006-07-26 10:50 49,250 C:\WINDOWS\system32\javaw.exe
2006-07-26 10:50 49,248 C:\WINDOWS\system32\java.exe
2006-07-26 10:50 127,078 C:\WINDOWS\system32\javaws.exe
2006-07-09 11:19 94,208 C:\WINDOWS\system32\HPZipt12.dll
2006-07-09 11:19 69,632 C:\WINDOWS\system32\HPZipm12.exe
2006-07-09 11:19 61,440 C:\WINDOWS\system32\HPZinw12.exe
2006-07-09 11:19 57,344 C:\WINDOWS\system32\HPZisn12.dll
2006-07-09 11:19 278,584 C:\WINDOWS\system32\HPZidr12.dll
2006-07-09 11:19 204,800 C:\WINDOWS\system32\HPZipr12.dll
2006-07-08 15:20 62,672 C:\WINDOWS\system32\xinput1_1.dll
2006-07-08 15:20 61,136 C:\WINDOWS\system32\xinput9_1_0.dll
2006-07-08 15:20 230,168 C:\WINDOWS\system32\xactengine2_2.dll
2006-07-08 15:20 230,096 C:\WINDOWS\system32\xactengine2_0.dll
2006-07-08 15:20 229,584 C:\WINDOWS\system32\xactengine2_1.dll
2006-07-08 15:20 2,388,176 C:\WINDOWS\system32\d3dx9_30.dll
2006-07-08 15:20 2,332,368 C:\WINDOWS\system32\d3dx9_29.dll
2006-07-08 15:20 2,323,664 C:\WINDOWS\system32\d3dx9_28.dll
2006-07-08 15:20 2,319,568 C:\WINDOWS\system32\d3dx9_27.dll
2006-07-08 15:20 14,032 C:\WINDOWS\system32\x3daudio1_0.dll
2006-07-07 08:44 4,682 C:\WINDOWS\system32\npptNT2.sys
2006-06-26 19:01 2,297,552 C:\WINDOWS\system32\d3dx9_26.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"BJCFD"="C:\\Program Files\\BroadJump\\Client Foundation\\CFD.exe"
"P17Helper"="Rundll32 P17.dll,P17Helper"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"CTSysVol"="C:\\Program Files\\Creative\\SBAudigy\\Surround Mixer\\CTSysVol.exe /r"
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Motive SmartBridge"="C:\\PROGRA~1\\SBCSEL~1\\SMARTB~1\\MotiveSB.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"SoundMan"="SOUNDMAN.EXE"
"SSBkgdUpdate"="C:\\Program Files\\Common Files\\Scansoft Shared\\SSBkgdUpdate\\SSBkgdupdate.exe -Embedding -boot"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"YBrowser"="C:\\PROGRA~1\\Yahoo!\\browser\\ybrwicon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Steam"=""
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\AutorunsDisabled]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Yahoo! Pager"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
@=""
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=""

HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system
DisableRegistryTools REG_DWORD 0 (0x0)

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Thu 08/10/2006 10:56:03.50
ComboFix ver 06.07.15/28 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-06.221108.txt
ComboFix.2006-08-10.105515.txt
This space will eventually have something very cool to fill it up, but not right now.

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:34 AM

Posted 10 August 2006 - 11:13 AM

Hey there, Zen00. :thumbsup:

It looks like we are nearly there now.
These files just need a bit of force to delete them.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

1) Open hijackthis, click 'config' (bottom right)
Choose the tab 'misc Tools' on top.
Choose 'delete a file on reboot'
In the field, copy and paste next:

C:\WINDOWS\system32\urqqnom.dll

Click open.
Hijackthis will tell you that this file will be deleted on next reboot and if you want to reboot now.
When asked if you want to reboot now, say No.

2) Repeat for the following files. When asked to reboot hit no.
C:\WINDOWS\system32\ddcbbab.dll
C:\WINDOWS\system32\mljjg.dll
C:\Program Files\Common Files\EliteMediaGroupOinUninstaller.exe

After entering the final entry, hit yes to reboot.

3) Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{E521797A-22DE-4B46-8B2F-8E98AB77B942}"=-

Save this as "zenfix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Do not run it yet!!

4) Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.f

5) Please run zenfix.reg.
When it asks you if you want to merge the contents to the registry, click yes/ok.

Delete this folder:
C:\Program Files\InetGet2

6) Reboot back to normal mode.
Clean your Cache and Cookies in IE

Close all instances of Internet Explorer .
Go to your control panel and open "Internet Options".
Click on the "General" tab.
Click the "Delete Cookies" button, then the "Delete Files" button.
When prompted, place a tick in the "Delete all offline content" box and click OK.

Clean your Cache and Cookies in Firefox

Open the firefox browser.
Click on the "tools" button and click on "options".
Click "privacy" in the menu on the left side window.
Open the History, Cookies and Cache tabs individually.
Choose the "clear" button on each.
Click OK to close the Options window

Clean other Temporary files and Empty the Recycle Bin

Go to start and click on the "run" button.
Type the following in the fox --> cleanmgr and click ok.
Let it scan your system for files to remove.
Make sure only Temporary Files, Temporary Internet Files, and Recycle Bin are checked.
Press OK to remove them.

7) Please download Ad-Aware SE Personal and install it.
If you already have Ad-Aware SE, please configure it as indicated below.
If you have a previous version of Ad-Aware, please uninstall your current version and install the newest version SE 1.06.

Run Ad-Aware, and click Check for updates now.
Select Configurations (click the Gear wheel at the top) as follows:
General Button > Safety & Settings > Check (Green) all three.
Tweak Button > Cleaning Engine > uncheck "Always try to unload modules before deletion".
Click Proceed.

To start the scan, Click > "Scan Now" at left.
Select "Search for low-risk threats".
Select "Perform full system scan".
Click "Next".

When the scan has completed, select Next.
In the Scanning Results window, select the "Critical Objects" tab.
Right-click on the screen and choose "Select all objects".
Click Next to remove the infections found, and click OK to the prompt.
Restart the computer.

Post back with a final Hijackthis log.
Also let me know how the computer is running.
David

Edit --> Added extra files for deletion.

Edited by D-Trojanator, 10 August 2006 - 02:56 PM.


#15 Zen00

Zen00
  • Topic Starter

  • Members
  • 80 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Missouri
  • Local time:12:34 AM

Posted 10 August 2006 - 06:12 PM

Thanks, computers running fine.


I figured out what was wrong with Hijackthis, you know how whenever I'd try to do something other than scan with it, it would shut down? Well I changed the name of the .exe file, and it fixed the problem, found the solution on another virus fix.



Logfile of HijackThis v1.99.1
Scan saved at 6:10:32 PM, on 8/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5450.0004)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Hijackthis\Start Wizard.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,userinit.exe
O1 - Hosts: 69.60.124.19 L2authd.lineage2.com
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2B8F5627-6B06-4729-BA50-37169EA45A73} - C:\WINDOWS\system32\mljjg.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {E521797A-22DE-4B46-8B2F-8E98AB77B942} - C:\WINDOWS\system32\urqqnom.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM\..\Run: [P17Helper] Rundll32 P17.dll,P17Helper
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - AutorunsDisabled - (no file)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: SBC Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\common\yiesrvc.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_2.2.2.89.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: mljjg - C:\WINDOWS\system32\mljjg.dll
O20 - Winlogon Notify: urqqnom - C:\WINDOWS\SYSTEM32\urqqnom.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winbug32 - winbug32.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
This space will eventually have something very cool to fill it up, but not right now.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users