Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Virtumonde? Maybe More? Please Help!


  • This topic is locked This topic is locked
21 replies to this topic

#1 Steel-Spevenburg

Steel-Spevenburg

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 15 August 2006 - 10:29 PM

I have recently been infected with something (or things) nasty. I get popups for "winantivirus pro 2006", I can't log onto my school's server (anything with ilstu.edu), I can't enable drop shadows on the desktop, and my computer is running much slower.

I have Ad-Aware SE installed with the latest updates which, no matter how many times I run it, always comes up with more adware/spyware. I can run it once and clean everything out and five minutes later run it again and it says I have 11 critical objects again!

Also, I know which file caused this mayhem, and I have it--zipped up. I was going to upload it to my school webspace so you guys could check it out but I can't even do that because of the virus!

I have also run a few "vundo" fixes including those mentioned on this site with no luck. If anyone has any ideas how I can fix this problem, please let me know! Also if anything is unclear or you need more info, please ask. Thanks in advance.


Here is my Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:04:33 PM, on 8/15/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\{DE02C4A1-089D-1033-0804-040416020001}\Update.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Cisco Systems\VPN Client\vpngui.exe
C:\Program Files\Cisco Systems\VPN Client\ipseclog.exe
C:\Documents and Settings\Sean\Desktop\FixVundo.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.mrfindalot.com/search.asp?si=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.mrfindalot.com/search.asp?si=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = c:\secure32.html
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\ljjwj.exe
F2 - REG:system.ini: UserInit=userinit.exe,vfqbtbt.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15015/CTSUEng.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nucleus.com/FIX/WinATS.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15023/CTPID.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{2B9CDE5F-3CD6-416F-BE24-767DFA0ED4AF}: NameServer = 138.87.128.1,138.87.132.1
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = ilstu.edu
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = ilstu.edu
O18 - Filter: text/html - {B5F86455-BF18-4E12-965A-6642A0AC0549} - C:\WINDOWS\system32\xeymi.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Network Associates, Inc. - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\ttuzopi.exe (file missing)

BC AdBot (Login to Remove)

 


#2 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:07:18 PM

Posted 16 August 2006 - 12:18 AM

Hello.

Please download WebRoot SpySweeper from HERE (It's a 2 week trial):
  • Click the Free Trial link on the right - next to "SpySweeper for Home Computers" to download the program.
  • Double-click the file to install it as follows:
    • Click "Next", read the agreement, Click "Next"
    • Choose "Custom" click "Next".
    • Leave the default installation directory as it is, then click "Next".
    • UNcheck "Run SpySweeper at Windows Startup" and "Add Sweep for Spyware to Windows Explorer Context Menu". Click "Next".
    • On the following screen you can leave the e-mail address field blank, if you wish. Click "Next".
    • Finally, click "Install"
  • Once the program is installed, it will open.
  • It will prompt you to update to the latest definitions, click Yes.
  • Once the definitions are installed, click Options on the left side.
  • Click the Sweep Options tab.
  • Under What to Sweep please put a check next to the following:
    • Sweep Memory
    • Sweep Registry
    • Sweep Cookies
    • Sweep All User Accounts
    • Enable Direct Disk Sweeping
    • Sweep Contents of Compressed Files
    • Sweep for Rootkits
    • Please UNCHECK Do not Sweep System Restore Folder.
  • Click Sweep Now on the left side.
  • Click the Start button.
  • When it's done scanning, click the Next button.
  • Make sure everything has a check next to it, then click the Next button.
  • It will remove all of the items found.
  • Click Session Log in the upper right corner, copy everything in that window.
  • Click the Summary tab and click Finish.
  • Paste the contents of the session log you copied into your next reply.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#3 Steel-Spevenburg

Steel-Spevenburg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 16 August 2006 - 10:36 PM

Pomp, thank you for your help. I am unsure whether or not this worked completely. Here is my session log:

10:32 PM: Removal process completed. Elapsed time 00:00:16
10:32 PM: Quarantining All Traces: mediamotor - popuppers
10:32 PM: Quarantining All Traces: ezula ilookup
10:32 PM: Quarantining All Traces: mirar webband
10:32 PM: Quarantining All Traces: command
10:32 PM: Quarantining All Traces: elitemediagroup-pop64
10:32 PM: Quarantining All Traces: internetoptimizer
10:32 PM: Quarantining All Traces: trojan-dropper-joiner
10:32 PM: Quarantining All Traces: cas
10:32 PM: Quarantining All Traces: trojan-downloader-basebar
10:32 PM: Quarantining All Traces: elitemediagroup-mediamotor
10:32 PM: Quarantining All Traces: targetsaver
10:32 PM: Quarantining All Traces: enbrowser
10:32 PM: Quarantining All Traces: forethought
10:32 PM: Quarantining All Traces: trojan-downloader-ac2
10:32 PM: Quarantining All Traces: clkoptimizer
10:32 PM: Quarantining All Traces: look2me
10:32 PM: Removal process initiated
9:33 PM: Traces Found: 45
9:33 PM: Full Sweep has completed. Elapsed time 00:24:51
9:33 PM: File Sweep Complete, Elapsed Time: 00:23:24
Not enough storage is available to process this command
9:27 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
9:27 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
9:26 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
9:26 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
9:23 PM: Warning: Failed to access drive D:
9:23 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055851.inf (ID = 208224)
9:23 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055845.vbs (ID = 185675)
9:22 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055808.dll (ID = 159)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055809.dll (ID = 159)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055854.exe (ID = 304324)
9:21 PM: Found Adware: mediamotor - popuppers
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055849.exe (ID = 316011)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055846.exe (ID = 235944)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055840.exe (ID = 288489)
9:21 PM: Found Adware: internetoptimizer
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055841.dll (ID = 323385)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055824.exe (ID = 244430)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055835.exe (ID = 331211)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055836.exe (ID = 331208)
9:21 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055825.exe (ID = 336716)
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055816.exe (ID = 328031)
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055847.vbs (ID = 231442)
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055813.sys (ID = 336626)
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055814.exe (ID = 336702)
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055815.sys (ID = 336626)
9:20 PM: Found Trojan Horse: trojan-downloader-ac2
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055817.exe (ID = 328039)
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055853.dll (ID = 326308)
9:20 PM: Found Adware: ezula ilookup
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055852.exe (ID = 336869)
9:20 PM: Found Adware: mirar webband
9:20 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055810.dll (ID = 159)
9:19 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055842.exe (ID = 319946)
9:18 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055828.exe (ID = 326026)
9:18 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055812.exe (ID = 268934)
9:18 PM: Found Adware: clkoptimizer
9:18 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055848.exe (ID = 327343)
9:18 PM: Found Adware: command
9:18 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055818.exe (ID = 329286)
9:18 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055829.exe (ID = 326027)
9:17 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055844.exe (ID = 299775)
9:17 PM: Found Trojan Horse: trojan-dropper-joiner
9:17 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055837.exe (ID = 329490)
9:16 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055830.exe (ID = 325684)
9:16 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055833.dll (ID = 293589)
9:16 PM: Found Adware: cas
9:16 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055819.dll (ID = 327345)
9:16 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055838.exe (ID = 331210)
9:15 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055843.exe (ID = 323511)
9:15 PM: Found Trojan Horse: trojan-downloader-basebar
9:15 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055831.ocx (ID = 307277)
9:14 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055850.exe (ID = 316012)
9:14 PM: Found Adware: elitemediagroup-pop64
9:14 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055826.exe (ID = 245110)
9:13 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055832.ocx (ID = 292476)
9:13 PM: Found Adware: elitemediagroup-mediamotor
9:11 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055811.dll (ID = 159)
9:11 PM: Found Adware: look2me
9:11 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055839.exe (ID = 331209)
9:11 PM: Found Adware: targetsaver
9:11 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055827.exe (ID = 336640)
9:11 PM: Found Adware: enbrowser
9:10 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055820.exe (ID = 329287)
9:10 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055821.exe (ID = 329285)
9:10 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055822.exe (ID = 329287)
9:10 PM: Found Adware: forethought
9:09 PM: Starting File Sweep
9:09 PM: Warning: Failed to access drive A:
9:09 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
9:09 PM: Starting Cookie Sweep
9:09 PM: Registry Sweep Complete, Elapsed Time:00:00:09
9:09 PM: Starting Registry Sweep
9:09 PM: Memory Sweep Complete, Elapsed Time: 00:01:03
9:08 PM: Starting Memory Sweep
9:08 PM: Warning: TVolume.Read: read past end of volume size: 0 reading cluster: 0
9:08 PM: Sweep initiated using definitions version 742
9:08 PM: Spy Sweeper 5.0.5.1286 started
9:08 PM: | Start of Session, Wednesday, August 16, 2006 |
********
9:08 PM: | End of Session, Wednesday, August 16, 2006 |
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
9:08 PM: Shield States
9:08 PM: Spyware Definitions: 742
9:08 PM: Spy Sweeper 5.0.5.1286 started
7:32 PM: | End of Session, Wednesday, August 16, 2006 |
7:30 PM: Your definitions are up to date.
7:29 PM: Your spyware definitions have been updated.
Keylogger Shield: On
BHO Shield: On
IE Security Shield: On
Alternate Data Stream (ADS) Execution Shield: On
Startup Shield: On
Common Ad Sites Shield: Off
Hosts File Shield: On
Spy Communication Shield: On
ActiveX Shield: On
Windows Messenger Service Shield: On
IE Favorites Shield: On
Spy Installation Shield: On
Memory Shield: On
IE Hijack Shield: On
IE Tracking Cookies Shield: Off
7:28 PM: Shield States
7:28 PM: Spyware Definitions: 691
7:28 PM: Spy Sweeper 5.0.5.1286 started
7:28 PM: Spy Sweeper 5.0.5.1286 started
7:28 PM: | Start of Session, Wednesday, August 16, 2006 |
********
9:06 PM: Removal process completed. Elapsed time 00:01:08
9:06 PM: Preparing to restart your computer. Please wait...
9:05 PM: Warning: Failed to delete profile shadow file "C:\WINDOWS\Temp\SST2D2.tmp". Reason: The system cannot find the file specified
9:05 PM: Warning: Failed to delete profile shadow file ".log". Reason: The system cannot find the file specified
9:05 PM: Quarantining All Traces: zedo cookie
9:05 PM: Quarantining All Traces: tribalfusion cookie
9:05 PM: Quarantining All Traces: reliablestats cookie
9:05 PM: Quarantining All Traces: revenue.net cookie
9:05 PM: Quarantining All Traces: casalemedia cookie
9:05 PM: Quarantining All Traces: searchingbooth cookie
9:05 PM: Quarantining All Traces: atlas dmt cookie
9:05 PM: Quarantining All Traces: falkag cookie
9:05 PM: Quarantining All Traces: tacoda cookie
9:05 PM: Quarantining All Traces: yieldmanager cookie
9:05 PM: Quarantining All Traces: effective-i toolbar
9:05 PM: Quarantining All Traces: mediamotor - popuppers
9:05 PM: c:\program files\msn gaming zone\kyfecy.html is in use. It will be removed on reboot.
9:05 PM: deskwizz is in use. It will be removed on reboot.
9:05 PM: Quarantining All Traces: deskwizz
9:05 PM: Quarantining All Traces: ezula ilookup
9:05 PM: Quarantining All Traces: mirar webband
9:05 PM: Quarantining All Traces: elitemediagroup-pop64
9:05 PM: Quarantining All Traces: webhancer
9:05 PM: Quarantining All Traces: findthewebsiteyouneed hijack
9:05 PM: Quarantining All Traces: oddbot
9:05 PM: Quarantining All Traces: regifast
9:05 PM: Quarantining All Traces: command
9:05 PM: Quarantining All Traces: linkmaker
9:05 PM: Quarantining All Traces: marketscore
9:05 PM: Quarantining All Traces: trojan-dropper-joiner
9:05 PM: Quarantining All Traces: trojan-downloader-basebar
9:05 PM: Quarantining All Traces: internetoptimizer
9:05 PM: Quarantining All Traces: dollarrevenue
9:05 PM: Quarantining All Traces: targetsaver
9:05 PM: Quarantining All Traces: spysheriff
9:05 PM: Quarantining All Traces: cas
9:05 PM: Quarantining All Traces: quicklink search toolbar
9:05 PM: Quarantining All Traces: maxifiles
9:05 PM: Quarantining All Traces: elitemediagroup-mediamotor
9:05 PM: Quarantining All Traces: winantivirus pro
9:05 PM: Quarantining All Traces: enbrowser
9:05 PM: Quarantining All Traces: surfsidekick
9:05 PM: Quarantining All Traces: forethought
9:05 PM: Quarantining All Traces: alcra-b
9:05 PM: Quarantining All Traces: trojan-downloader-ac2
9:05 PM: Quarantining All Traces: clkoptimizer
9:05 PM: Quarantining All Traces: trojan-backdoor-us15info
9:05 PM: Quarantining All Traces: look2me
9:05 PM: Quarantining All Traces: visfx
9:05 PM: Removal process initiated
9:01 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
9:01 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
9:01 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
9:01 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:48 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:48 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:48 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:48 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:35 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:35 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:35 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:35 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:21 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:21 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:21 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:21 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:08 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:08 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:08 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
8:08 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:55 PM: Traces Found: 178
7:55 PM: Full Sweep has completed. Elapsed time 00:23:09
7:55 PM: HKLM\system\currentcontrolset\services\network monitor\ (ID = 1569493)
7:55 PM: HKLM\software\em\ (ID = 1556188)
7:55 PM: File Sweep Complete, Elapsed Time: 00:21:58
7:55 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:55 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:55 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:55 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
Not enough storage is available to process this command
7:51 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
7:51 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
7:50 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
Not enough storage is available to process this command
7:50 PM: Warning: Unable to sweep compressed file: System Error. Code: 8.
7:49 PM: C:\My Shared Folder\HTTP-Tunnel v3.3.2025 Final.zip (ID = 310411)
7:49 PM: Found Trojan Horse: alcra-b
7:46 PM: Warning: Failed to access drive D:
7:46 PM: C:\backups\backup-20060816-005454-913.inf (ID = 208224)
7:46 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054321.lnk (ID = 59838)
7:46 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054323.lnk (ID = 59855)
7:46 PM: Found Adware: effective-i toolbar
7:46 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051928.ini (ID = 188799)
7:46 PM: C:\WINDOWS\U2VhbiBEaWNrc29u\oZp1v21HuqhOwZ6R.vbs (ID = 185675)
7:46 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051926.ini (ID = 188794)
7:45 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051927.exe (ID = 326317)
7:45 PM: C:\WINDOWS\system32\pixk5gp2.phy (ID = 276229)
7:45 PM: Found Adware: linkmaker
7:45 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051931.exe (ID = 330847)
7:45 PM: C:\WINDOWS\system32\pytorec.dll (ID = 159)
7:45 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051958.dll (ID = 298669)
7:45 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0055367.exe (ID = 293590)
7:45 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0052982.exe (ID = 329490)
7:45 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0053999.dll (ID = 159)
7:45 PM: C:\Documents and Settings\Sean\Application Data\Sskknwrd.dll (ID = 77733)
7:45 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051955.dll (ID = 253084)
7:44 PM: C:\WINDOWS\system32\issrstap.dll (ID = 159)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051950.dll (ID = 297352)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051951.exe (ID = 333914)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051912.exe (ID = 331208)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051915.exe (ID = 331211)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051914.exe (ID = 331210)
7:44 PM: C:\WINDOWS\unstall.exe (ID = 304324)
7:44 PM: Found Adware: mediamotor - popuppers
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051913.exe (ID = 331209)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051921.exe (ID = 297353)
7:44 PM: C:\WINDOWS\elpp100drop.exe (ID = 316011)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051911.exe (ID = 303011)
7:44 PM: C:\WINDOWS\idlemg.exe (ID = 235944)
7:44 PM: C:\Program Files\MSN Gaming Zone\kyfecy.html (ID = 323861)
7:44 PM: Found Adware: deskwizz
7:44 PM: C:\WINDOWS\optimize.exe (ID = 288489)
7:44 PM: C:\WINDOWS\lucfrrtg.dll (ID = 323385)
7:44 PM: C:\WINDOWS\pf78.exe (ID = 244430)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051906.dll (ID = 159)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051938.dll (ID = 235980)
7:44 PM: C:\Program Files\Common Files\oouw\oouwp.exe (ID = 331211)
7:44 PM: C:\Program Files\Common Files\oouw\oouwm.exe (ID = 331208)
7:44 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051922.dll (ID = 297355)
7:43 PM: C:\WINDOWS\Setup90.exe (ID = 336716)
7:43 PM: C:\WINDOWS\system32\rk.bin (ID = 235981)
7:43 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051957.exe (ID = 235981)
7:43 PM: Found Adware: marketscore
7:43 PM: C:\WINDOWS\system32\zqskw.exe (ID = 328031)
7:43 PM: C:\WINDOWS\uninstall_nmon.vbs (ID = 231442)
7:43 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP352\A0055675.exe (ID = 327825)
7:43 PM: C:\WINDOWS\system32\aaa00000.sys (ID = 336626)
7:43 PM: C:\WINDOWS\ac3_0002.exe (ID = 336702)
7:43 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054325.ini (ID = 304315)
7:43 PM: C:\WINDOWS\system32\dal01d86.sys (ID = 336626)
7:43 PM: Found Trojan Horse: trojan-downloader-ac2
7:43 PM: c:\recycler\s-1-5-21-1417001333-507921405-725345543-500\dc2.exe (ID = 328039)
7:43 PM: C:\WINDOWS\system32\nsf14.dll (ID = 326308)
7:43 PM: Found Adware: ezula ilookup
7:43 PM: C:\WINDOWS\MirarSetup_876075.exe (ID = 336869)
7:43 PM: Found Adware: mirar webband
7:42 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051840.dll (ID = 304391)
7:42 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0053994.dll (ID = 159)
7:42 PM: C:\WINDOWS\system32\gpl2l33o1.dll (ID = 159)
7:41 PM: C:\WINDOWS\lt.exe (ID = 319946)
7:41 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:41 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:41 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:41 PM: The Spy Communication shield has blocked access to: BANNERS.SEARCHINGBOOTH.COM
7:41 PM: C:\WINDOWS\media_motor_bundle.exe (ID = 326026)
7:40 PM: C:\quarantine\ljjwj.exe (ID = 268934)
7:40 PM: Found Adware: clkoptimizer
7:40 PM: C:\WINDOWS\system32\iqqr.exe (ID = 327343)
7:40 PM: C:\WINDOWS\system32\bez6n4r21.exe (ID = 329286)
7:40 PM: C:\WINDOWS\system32\icon_mediamotor.exe (ID = 326027)
7:40 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055787.exe (ID = 336853)
7:39 PM: C:\WINDOWS\system32\VSL05.exe (ID = 299775)
7:39 PM: Found Trojan Horse: trojan-dropper-joiner
7:39 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051956.exe (ID = 253085)
7:39 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055729.exe (ID = 327825)
7:39 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0052972.dll (ID = 159)
7:39 PM: C:\WINDOWS\system32\tsuninst.exe (ID = 329490)
7:39 PM: C:\WINDOWS\system32\ts_mediamotor.exe (ID = 325684)
7:39 PM: C:\WINDOWS\system32\redist.dll (ID = 293589)
7:39 PM: C:\WINDOWS\system32\xeymi.dll (ID = 327345)
7:38 PM: C:\Program Files\Common Files\oouw\oouwa.exe (ID = 331210)
7:38 PM: C:\Program Files\Common Files\oouw\oouwd\vocabulary (ID = 78283)
7:38 PM: C:\WINDOWS\ssqbn.exe (ID = 323511)
7:38 PM: Found Trojan Horse: trojan-downloader-basebar
7:38 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055784.exe (ID = 183857)
7:38 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
7:38 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
7:38 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
7:38 PM: The Spy Communication shield has blocked access to: WWW.Z-QUEST.COM
7:37 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP349\A0055394.exe (ID = 298872)
7:37 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051929.inf (ID = 304301)
7:37 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054324.inf (ID = 304301)
7:37 PM: C:\WINDOWS\em.ocx (ID = 307277)
7:37 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055786.exe (ID = 183857)
7:37 PM: C:\Program Files\elticons\chadppicon100.exe (ID = 316012)
7:37 PM: Found Adware: elitemediagroup-pop64
7:37 PM: C:\WINDOWS\uni_eh.exe (ID = 245110)
7:37 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055785.exe (ID = 183857)
7:37 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054320.exe (ID = 288489)
7:37 PM: Found Adware: internetoptimizer
7:37 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP353\A0055783.exe (ID = 183857)
7:37 PM: Found Trojan Horse: trojan-backdoor-us15info
7:36 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP350\A0055545.exe (ID = 327825)
7:36 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051959.dll (ID = 301977)
7:36 PM: Found Adware: dollarrevenue
7:36 PM: C:\WINDOWS\amm06.ocx (ID = 292476)
7:35 PM: C:\Program Files\Common Files\oouw\oouwd\class-barrel (ID = 78229)
7:35 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051948.dll (ID = 302237)
7:35 PM: C:\WINDOWS\system32\kzdgr1.dll (ID = 159)
7:35 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054313.dll (ID = 159)
7:35 PM: Found Adware: look2me
7:35 PM: C:\Program Files\Common Files\oouw\oouwl.exe (ID = 331209)
7:35 PM: Found Adware: targetsaver
7:35 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP351\A0055621.exe (ID = 327825)
7:34 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051952.dll (ID = 304392)
7:34 PM: Found Adware: webhancer
7:34 PM: C:\WINDOWS\uni_ehhhh.exe (ID = 336640)
7:34 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054317.dll (ID = 316428)
7:34 PM: C:\WINDOWS\system32n9nyb.exe (ID = 329287)
7:34 PM: C:\WINDOWS\system32ghynf.exe (ID = 329285)
7:34 PM: C:\WINDOWS\system32\n9nyb.exe (ID = 329287)
7:34 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0054327.exe (ID = 332943)
7:34 PM: Found Adware: spysheriff
7:34 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051930.exe (ID = 329285)
7:34 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051942.exe (ID = 322316)
7:34 PM: C:\System Volume Information\_restore{9a32611f-d1bb-41f8-809b-bbe31e4a1af5}\RP348\A0051932.dll (ID = 333534)
7:33 PM: C:\Program Files\Cas2Stub (1 subtraces) (ID = 2147500974)
7:33 PM: Starting File Sweep
7:33 PM: Warning: Failed to access drive A:
7:33 PM: Cookie Sweep Complete, Elapsed Time: 00:00:00
7:33 PM: c:\documents and settings\sean\cookies\sean@zedo[1].txt (ID = 3762)
7:33 PM: Found Spy Cookie: zedo cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@tribalfusion[1].txt (ID = 3589)
7:33 PM: Found Spy Cookie: tribalfusion cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@tacoda[1].txt (ID = 6444)
7:33 PM: c:\documents and settings\sean\cookies\sean@stats1.reliablestats[2].txt (ID = 3254)
7:33 PM: Found Spy Cookie: reliablestats cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@revenue[1].txt (ID = 3257)
7:33 PM: Found Spy Cookie: revenue.net cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@casalemedia[1].txt (ID = 2354)
7:33 PM: Found Spy Cookie: casalemedia cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@banners.searchingbooth[1].txt (ID = 3322)
7:33 PM: Found Spy Cookie: searchingbooth cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@atdmt[2].txt (ID = 2253)
7:33 PM: Found Spy Cookie: atlas dmt cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@as-us.falkag[1].txt (ID = 2650)
7:33 PM: Found Spy Cookie: falkag cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@anat.tacoda[1].txt (ID = 6445)
7:33 PM: c:\documents and settings\sean\cookies\sean@anad.tacoda[2].txt (ID = 6445)
7:33 PM: Found Spy Cookie: tacoda cookie
7:33 PM: c:\documents and settings\sean\cookies\sean@ad.yieldmanager[1].txt (ID = 3751)
7:33 PM: Found Spy Cookie: yieldmanager cookie
7:33 PM: Starting Cookie Sweep
7:33 PM: Registry Sweep Complete, Elapsed Time:00:00:10
7:33 PM: HKU\S-1-5-21-1417001333-507921405-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || Default_Search_URL (ID = 1554015)
7:33 PM: HKU\S-1-5-21-1417001333-507921405-725345543-1003\software\microsoft\internet explorer\toolbar\webbrowser\ || {cbcc61fa-0221-4ccc-b409-cee865caca3a} (ID = 1530952)
7:33 PM: HKU\S-1-5-21-1417001333-507921405-725345543-1003\software\cas2\ (ID = 862278)
7:33 PM: Found Adware: cas
7:33 PM: HKU\S-1-5-21-1417001333-507921405-725345543-1003\software\system\sysuid\ (ID = 731748)
7:33 PM: HKU\S-1-5-21-1417001333-507921405-725345543-1003\software\microsoft\internet explorer\search\searchassistant explorer\main\ || default_search_url (ID = 555437)
7:33 PM: Found Adware: findthewebsiteyouneed hijack
7:33 PM: HKU\S-1-5-21-1417001333-507921405-725345543-1003\software\surfsidekick3\ (ID = 143412)
7:33 PM: HKU\WRSS_Profile_S-1-5-21-1417001333-507921405-725345543-500\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143397)
7:33 PM: HKLM\system\currentcontrolset\services\cmdservice\ (ID = 1569492)
7:33 PM: HKLM\software\microsoft\windows\currentversion\uninstall\kznbndryg\ (ID = 1561126)
7:33 PM: HKLM\software\microsoft\windows\currentversion\uninstall\g5a2\ (ID = 1561123)
7:33 PM: Found Adware: quicklink search toolbar
7:33 PM: HKLM\software\classes\xsdu.ozbyq.1\ (ID = 1560783)
7:33 PM: HKLM\software\classes\xsdu.ozbyq\ (ID = 1560779)
7:33 PM: HKLM\software\classes\xsdu.bqok.1\ (ID = 1560775)
7:33 PM: HKLM\software\classes\xsdu.bqok\ (ID = 1560771)
7:33 PM: HKLM\software\classes\typelib\{80c0e6bc-1228-47d7-9876-b67ad181477e}\ (ID = 1560761)
7:33 PM: HKLM\software\classes\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\ (ID = 1560752)
7:33 PM: HKLM\software\classes\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\ (ID = 1560743)
7:33 PM: HKCR\xsdu.ozbyq.1\ (ID = 1560737)
7:33 PM: HKCR\xsdu.ozbyq\ (ID = 1560733)
7:33 PM: HKCR\xsdu.bqok.1\ (ID = 1560729)
7:33 PM: HKCR\xsdu.bqok\ (ID = 1560725)
7:33 PM: HKCR\typelib\{80c0e6bc-1228-47d7-9876-b67ad181477e}\ (ID = 1560715)
7:33 PM: HKCR\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\ (ID = 1560706)
7:33 PM: HKCR\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\ (ID = 1560697)
7:33 PM: HKLM\system\controlset001\services\cmdservice\ (ID = 1556680)
7:33 PM: HKLM\system\controlset001\enum\root\legacy_cmdservice\ (ID = 1556665)
7:33 PM: HKCR\mm06ocx.mm06ocxf\ (ID = 1556189)
7:33 PM: HKLM\software\classes\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530980)
7:33 PM: HKCR\typelib\{569304ba-83ed-4cff-ac26-be3e482f7208}\ (ID = 1530936)
7:33 PM: Found Adware: maxifiles
7:33 PM: HKLM\software\classes\typelib\{c845ac9a-70a6-491c-9106-d34a360e1f58}\ (ID = 1525983)
7:33 PM: HKCR\typelib\{c845ac9a-70a6-491c-9106-d34a360e1f58}\ (ID = 1525947)
7:33 PM: Found Adware: oddbot
7:33 PM: HKLM\software\classes\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 1502064)
7:33 PM: HKLM\software\classes\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1502055)
7:33 PM: HKLM\software\classes\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1502046)
7:33 PM: HKLM\software\classes\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 1502038)
7:33 PM: HKCR\interface\{db312456-e762-4369-844a-aed9006b1b2f}\ (ID = 1497938)
7:33 PM: HKCR\interface\{7682c1a6-c500-4c78-93b9-5a76a91520f8}\ (ID = 1497902)
7:33 PM: HKCR\interface\{597aa130-f00b-40b8-adaf-529d4da9be52}\ (ID = 1497893)
7:33 PM: HKCR\interface\{41e1565d-b7a8-4251-bd79-e6c5facb2b5f}\ (ID = 1497876)
7:33 PM: HKLM\software\classes\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323842)
7:33 PM: HKLM\software\classes\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323818)
7:33 PM: HKLM\software\classes\mm06ocx.mm06ocxf\ (ID = 1323810)
7:33 PM: HKCR\typelib\{d13decbb-52f8-4bf4-ba6c-b0cc603963c9}\ (ID = 1323794)
7:33 PM: HKCR\clsid\{5526b4c6-63d6-41a1-9783-0fabf529859a}\ (ID = 1323770)
7:33 PM: Found Adware: elitemediagroup-mediamotor
7:33 PM: HKLM\software\winantivirus pro 2006\ (ID = 1216196)
7:33 PM: Found Adware: winantivirus pro
7:33 PM: HKLM\software\classes\clsid\{c67a62c7-a68d-484c-9617-880c1f70d3f7}\ (ID = 1180778)
7:33 PM: HKLM\software\classes\regifastobj.regifastobj.1\ (ID = 1180769)
7:33 PM: HKLM\software\classes\regifastobj.regifastobj\ (ID = 1180765)
7:33 PM: HKCR\clsid\{c67a62c7-a68d-484c-9617-880c1f70d3f7}\ (ID = 1180687)
7:33 PM: HKCR\regifastobj.regifastobj.1\ (ID = 1180678)
7:33 PM: HKCR\regifastobj.regifastobj\ (ID = 1180674)
7:33 PM: Found Adware: regifast
7:33 PM: HKLM\system\currentcontrolset\enum\root\legacy_cmdservice\ (ID = 1016072)
7:33 PM: Found Adware: command
7:33 PM: HKLM\software\system\sysold\ (ID = 926808)
7:33 PM: Found Adware: enbrowser
7:33 PM: HKLM\system\currentcontrolset\services\windows overlay components\ (ID = 712954)
7:33 PM: HKLM\software\microsoft\windows\currentversion\uninstall\ovmon\ (ID = 712951)
7:33 PM: Found Adware: visfx
7:33 PM: HKLM\software\surfsidekick3\ (ID = 143413)
7:33 PM: HKLM\software\microsoft\internet explorer\urlsearchhooks\ || {02ee5b04-f144-47bb-83fb-a60bd91b74a9} (ID = 143400)
7:33 PM: Found Adware: surfsidekick
7:33 PM: Starting Registry Sweep
7:33 PM: Memory Sweep Complete, Elapsed Time: 00:00:46
7:32 PM: Starting Memory Sweep
7:32 PM: Warning: TVolume.Read: read past end of volume size: 0 reading cluster: 0
7:32 PM: HKCR\clsid\{d623bc2f-a58d-4a75-a10d-cc244a702a35}\inprocserver32\ (ID = 1561601)
7:32 PM: C:\WINDOWS\system32\xeymi.dll (ID = 1561600)
7:32 PM: HKCR\clsid\{b5f86455-bf18-4e12-965a-6642a0ac0549}\inprocserver32\ (ID = 1561600)
7:32 PM: Found Adware: forethought
7:32 PM: Sweep initiated using definitions version 742
7:32 PM: Spy Sweeper 5.0.5.1286 started
7:32 PM: | Start of Session, Wednesday, August 16, 2006 |
********

#4 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:07:18 PM

Posted 17 August 2006 - 10:27 AM

Kk, that certainly got rid of a lot! Please do the following to see what it may find! :thumbsup:

1. Download this file - combofix
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#5 Steel-Spevenburg

Steel-Spevenburg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 18 August 2006 - 03:31 PM

Thank you again Pomp. Here is the log from combofix:

Sean - 06-08-18 15:22:28.35
ComboFix 06.08.18 - Running from: C:\Documents and Settings\Sean\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


O4 - HKEY_CURRENT_USER\...\Run C:\WINDOWS\system32\uassjv.exe
O4 - HKEY_LOCAL_MACHINE\...\Run C:\WINDOWS\system32\uassjv.exe
F2 -REG:system.ini: Shell C:\WINDOWS\system32\ljjwj.exe
F2 -REG:system.ini: UserInit C:\WINDOWS\system32\vfqbtbt.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-08-18 15:17 362 --a------ C:\WINDOWS\tvyaa.dll
2006-08-17 03:16 53 --a------ C:\WINDOWS\nqbpqb.dat
2006-08-17 03:16 51712 --a------ C:\WINDOWS\system32\bhssaef.dll
2006-08-17 03:16 32256 --a------ C:\WINDOWS\system32\dmonwv.dll
2006-08-17 03:16 28672 --a------ C:\WINDOWS\system32\ljjwj.exe
2006-08-17 03:16 23552 --a------ C:\WINDOWS\system32\vfqbtbt.exe
2006-08-17 03:16 127488 --a------ C:\WINDOWS\system32\uassjv.exe
2006-08-17 03:16 127488 --a------ C:\WINDOWS\system32\axhvu.dat
2006-08-17 03:16 127488 --a------ C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nhftp.exe
2006-08-15 02:44 380928 --a------ C:\WINDOWS\system32\WinNB58.dll
2006-08-14 14:53 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


2006-08-17 03:16 127488 C:\WINDOWS\system32\uassjv.exe
2006-08-17 03:16 51712 C:\WINDOWS\system32\bhssaef.dll
2006-08-17 03:16 23552 C:\WINDOWS\system32\vfqbtbt.exe
2006-08-17 03:16 127488 C:\Documents and Settings\All Users\Start Menu\Programs\Startup\nhftp.exe
2006-08-18 15:17 362 C:\WINDOWS\tvyaa.dll
2006-08-17 03:16 127488 C:\WINDOWS\system32\axhvu.dat
2006-08-17 03:16 28672 C:\WINDOWS\system32\ljjwj.exe


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


06-08-17 03:16 127488 axhvu.dat.qoo
06-08-17 03:16 127488 uassjv.exe.qoo
06-08-17 03:16 127488 nhftp.exe.qoo
06-08-17 03:16 51712 bhssaef.dll.qoo
06-08-17 03:16 32256 dmonwv.dll.qoo
06-08-17 03:16 28672 ljjwj.exe.qoo
06-08-17 03:16 23552 vfqbtbt.exe.qoo
06-08-18 15:17 362 tvyaa.dll.qoo
06-08-17 03:16 53 nqbpqb.dat.qoo

DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Sean\Application Data\Sskdmns.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Program Files\elticons
C:\Program Files\Common Files\{DE02C4A1-089D-1033-0804-040416020001}
C:\Program Files\Inetget2


((((((((((((((((((((((((((((((( Files Created from 2006-07-18 to 2006-08-18 ))))))))))))))))))))))))))))))))))


2006-08-16 00:37 213,072 C:\Qoofix.dll
2006-08-16 00:37 102,400 C:\Qoofix.exe
2006-08-15 10:45 102,420 C:\WINDOWS\system32\xvqnpxwl.dll
2006-08-15 02:44 380,928 C:\WINDOWS\system32\WinNB58.dll
2006-08-14 14:53 183,296 C:\WINDOWS\NDNuninstall7_22.exe
2006-08-14 14:49 8,464 C:\WINDOWS\system32\sporder.dll
2006-08-14 14:49 50,688 C:\WINDOWS\NDNuninstall6_38.exe
2006-08-14 14:49 0 C:\WINDOWS\system32bez6n4r21.exe
2006-08-12 15:18 56,832 C:\WINDOWS\system32\Iyvu9_32.dll
2006-08-12 15:18 144,384 C:\WINDOWS\system32\Iacenc.dll
2006-07-18 15:23 98,304 C:\WINDOWS\system32\piaproxy.dll
2006-07-18 15:23 94,208 C:\WINDOWS\system32\ctdproxy.dll
2006-07-18 15:23 94,208 C:\WINDOWS\system32\CTASIO.DLL
2006-07-18 15:23 90,112 C:\WINDOWS\system32\OpenAL32.DLL
2006-07-18 15:23 77,824 C:\WINDOWS\system32\EAXAC3.DLL
2006-07-18 15:23 77,824 C:\WINDOWS\DEVREG.DLL
2006-07-18 15:23 61,440 C:\WINDOWS\MIDIDEF.EXE
2006-07-18 15:23 598,016 C:\WINDOWS\system32\ctsblfx.dll
2006-07-18 15:23 49,152 C:\WINDOWS\system32\KILLAPPS.EXE
2006-07-18 15:23 49,152 C:\WINDOWS\system32\a3d.dll
2006-07-18 15:23 40,960 C:\WINDOWS\system32\AC3API.DLL
2006-07-18 15:23 36,864 C:\WINDOWS\system32\sfman32.dll
2006-07-18 15:23 36,864 C:\WINDOWS\system32\REGPLIB.EXE
2006-07-18 15:23 36,864 C:\WINDOWS\system32\CTEMUPIADEFAULT.DLL
2006-07-18 15:23 258,048 C:\WINDOWS\system32\SFMS32.DLL
2006-07-18 15:23 196,608 C:\WINDOWS\system32\cteapsfx.dll
2006-07-18 15:23 176,128 C:\WINDOWS\PSCONV.EXE
2006-07-18 15:23 159,744 C:\WINDOWS\READREG.EXE
2006-07-18 15:23 110,592 C:\WINDOWS\system32\commonfx.dll
2006-07-18 15:01 6,752 C:\WINDOWS\system32\PfModNT.sys
2006-07-18 02:33 73,728 C:\WINDOWS\system32\CTDrmRes.dll
2006-07-18 02:33 331,776 C:\WINDOWS\system32\CTMedEng.DLL
2006-07-18 02:33 28,672 C:\WINDOWS\system32\CTIntRes.dll
2006-07-18 02:33 24,576 C:\WINDOWS\system32\CTMERes.DLL
2006-07-18 02:33 163,840 C:\WINDOWS\system32\CTDRMUI.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver pe386 is present. A rootkit scan is required

2006-08-18 15:22 -------- d-------- C:\Program Files\Common Files
2006-08-16 21:05 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-16 21:05 -------- d-------- C:\Program Files\Common Files\oouw
2006-08-16 19:24 -------- d-------- C:\Program Files\Webroot
2006-08-16 19:24 -------- d-------- C:\Documents and Settings\Sean\Application Data\Webroot
2006-08-16 00:40 -------- d-------- C:\Program Files\CleanUp!
2006-08-15 22:24 -------- d-------- C:\Documents and Settings\Sean\Application Data\Adobe
2006-08-15 21:41 -------- d-------- C:\Program Files\Enigma Software Group
2006-08-15 10:49 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-15 10:45 102420 --a------ C:\WINDOWS\system32\xvqnpxwl.dll
2006-08-15 06:14 -------- d-------- C:\Program Files\Internet Explorer
2006-08-15 02:44 380928 --a------ C:\WINDOWS\system32\WinNB58.dll
2006-08-14 17:51 -------- d-------- C:\Documents and Settings\Sean\Application Data\Lavasoft
2006-08-14 17:50 -------- d-------- C:\Program Files\Lavasoft
2006-08-14 15:31 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-14 15:31 -------- d-------- C:\Program Files\Windows NT
2006-08-14 14:53 8464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-14 14:53 183296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-08-14 14:49 50688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-08-14 14:49 0 --a------ C:\WINDOWS\system32bez6n4r21.exe
2006-08-14 14:33 -------- d-------- C:\Documents and Settings\Sean\Application Data\nView_Wallpaper
2006-08-12 15:29 -------- d-------- C:\Program Files\WinTV
2006-08-12 15:20 -------- d-------- C:\Documents and Settings\Sean\Application Data\Ulead Systems
2006-08-12 15:19 -------- d-------- C:\Program Files\SmartSound Software
2006-08-12 15:19 -------- d-------- C:\Program Files\Common Files\Ulead Systems
2006-08-12 15:18 -------- d-------- C:\Program Files\Intel
2006-08-12 15:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-12 15:17 -------- d-------- C:\Program Files\Windows Media Components
2006-08-12 15:16 -------- d-------- C:\Program Files\Ulead Systems
2006-08-12 15:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-08 18:33 -------- d-------- C:\Program Files\Winamp
2006-07-30 17:22 102400 --a------ C:\Qoofix.exe
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-18 15:23 -------- d-------- C:\Program Files\Creative
2006-07-18 01:06 -------- d---s---- C:\Documents and Settings\Sean\Application Data\Microsoft
2006-07-18 01:03 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-18 01:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-07 16:41 15360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-07-07 16:41 14848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-07-07 16:41 13824 --a------ C:\WINDOWS\system32\drivers\SSFS041A.sys
2006-07-07 16:41 117248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2006-06-29 15:39 213072 --a------ C:\Qoofix.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
@=""
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Beyond TV.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Beyond TV.lnk"
"backup"="C:\\WINDOWS\\pss\\Beyond TV.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SNAPST~1\\BEYOND~1\\BTVD3D~1.EXE "
"item"="Beyond TV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Cisco Systems VPN Client.lnk"
"backup"="C:\\WINDOWS\\pss\\Cisco Systems VPN Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CISCOS~1\\VPNCLI~1\\vpngui.exe \"-user_logon\""
"item"="Cisco Systems VPN Client"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nhftp.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\nhftp.exe"
"backup"="C:\\WINDOWS\\pss\\nhftp.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\nhftp.exe"
"item"="nhftp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\CTHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\dal01d86]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w010d2b3.dll,n 00301d8300000011010d2b3"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DeadAIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DeadAIM"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\Program Files\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrfh_10"
"hkey"="HKLM"
"command"="c:\\\\dfndrfh_10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Desktop Calendar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CanDesk"
"hkey"="HKLM"
"command"="C:\\Program Files\\Desktop Calendar\\CanDesk.exe 9"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DevconDefaultDB]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="READREG /PSCONV={NO} /NO_DEFPS /FAIL=1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\READREG /PSCONV={NO} /NO_DEFPS /FAIL=1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\DiskeeperSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DkIcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdfh_10"
"hkey"="HKLM"
"command"="c:\\\\kybrdfh_10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\loaddr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="epvgy"
"hkey"="HKLM"
"command"="c:\\epvgy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\ms0543935-5702]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms0543935-5702"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms0543935-5702.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\ms063935-57024]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms063935-57024"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms063935-57024.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmfh_10"
"hkey"="HKLM"
"command"="c:\\\\nwnmfh_10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\NwCplMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="redistributor"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\redistributor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\oouw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oouwm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\oouw\\oouwm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\pop06apelt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thiselt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\thiselt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\qoelk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uassjv"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\uassjv.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\RegiFast]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RFManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\RegiFast\\RFManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\RelevantKnowledge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rlvknlg"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\rlvknlg.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\shell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibm00001"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\ibm00001.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SpySheriff]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySheriff"
"hkey"="HKCU"
"command"="C:\\Program Files\\SpySheriff\\SpySheriff.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\SysTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lbfh"
"hkey"="HKLM"
"command"="c:\\Program Files\\lbfh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\ToolbarInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MirarSetup_876075"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\MirarSetup_876075.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\trwkjt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uassjv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\uassjv.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\ttuzopiA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ttuzopiA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ttuzopiA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Updreg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\w0129ac1.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w0129ac1.dll,I2 00301d8300129ac1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\startupreg\Windows installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winstall"
"hkey"="HKCU"
"command"="C:\\winstall.exe"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService


~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~


Completion time: Fri 08/18/2006 15:26:55.87
ComboFix.txt

#6 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:07:18 PM

Posted 18 August 2006 - 08:49 PM

Hello!

You have this crazy rootkit. Let's try and kill it.

We are going to use the blacklight rootkit scanner...
Download and Save blacklight to your desktop.
F-Secure Blacklight: https://europe.f-secure.com/blacklight/try.shtml
Double-click blbeta.exe then accept the agreement.
Then click scan.
Once the scan started.... shut down your pc using the power button!!!

Then start your pc again, so we can proceed with the rest of the removal..

Please now run combofix.exe and please post the new log! Hopefully it doesn't say the rootkit is still there, and we'll proceed with the other bad files. Thanks!


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#7 Steel-Spevenburg

Steel-Spevenburg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 20 August 2006 - 06:43 PM

Hi Pomp,

I did what you instructed and when I double click blbeta.exe I get a dialog box that says:

F-Secure BlackLight could not acquire necessary privileges (SeDebugPrivilege).

-Your computer settings may prevent acquiring these privileges.
-A malicious program might have disabled these privileges.

Any idea what I should do now?

Thanks again.

#8 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:07:18 PM

Posted 20 August 2006 - 06:55 PM

Please try this:

Please download Look2Me-Destroyer.exe http://www.atribune.org/ccount/click.php?id=7 to your desktop.

* Close all windows before continuing.
* Double-click Look2Me-Destroyer.exe to run it.
* Put a check next to Run this program as a task.
* You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 1 minute. Click OK
* When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
* Once it's done scanning, click the Remove L2M button.
* You will receive a Done Scanning message, click OK.
* When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
* Your computer will then shutdown.
* Turn your computer back on.
* Please post the contents of Look2Me-Destroyer.txt (it can be found wherever you saved Look2Me-Destroyer.exe)

If Look2Me-Destroyer does not reopen automatically, reboot and try again.


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#9 Steel-Spevenburg

Steel-Spevenburg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 August 2006 - 01:24 AM

Hi Pomp,

Here is the log of Look2Me Destroyer:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 8/23/2006 1:17:04 AM


Attempting to delete infected files...

Making registry repairs.


Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{E73EA574-59FE-4297-B793-824F6932DF5F}"
HKCR\Clsid\{E73EA574-59FE-4297-B793-824F6932DF5F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{85E9DEA5-AA02-4A19-861B-C5891D1F897F}"
HKCR\Clsid\{85E9DEA5-AA02-4A19-861B-C5891D1F897F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{BDA734F9-7CFE-4E39-90D9-BD8488C9CD76}"
HKCR\Clsid\{BDA734F9-7CFE-4E39-90D9-BD8488C9CD76}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

#10 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:07:18 PM

Posted 23 August 2006 - 08:47 AM

Ok good!

Now please run blacklight and it should work!


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#11 Steel-Spevenburg

Steel-Spevenburg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 August 2006 - 12:25 PM

Pomp,

Thank you, blacklight works now. I ran it and it didn't appear to have found anything. Here is the log:

08/23/06 12:18:23 [Info]: BlackLight Engine 1.0.46 initialized
08/23/06 12:18:23 [Info]: OS: 5.1 build 2600 (Service Pack 2)
08/23/06 12:18:23 [Note]: 7019 4
08/23/06 12:18:23 [Note]: 7005 0
08/23/06 12:18:41 [Note]: 7006 0
08/23/06 12:18:41 [Note]: 7011 1984
08/23/06 12:18:41 [Note]: 7026 0
08/23/06 12:18:41 [Note]: 7026 0
08/23/06 12:18:46 [Note]: FSRAW library version 1.7.1019
08/23/06 12:24:01 [Note]: 7007 0

#12 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:07:18 PM

Posted 23 August 2006 - 12:53 PM

1. Download this file - combofix
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#13 Steel-Spevenburg

Steel-Spevenburg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 23 August 2006 - 05:30 PM

Here is the combofix log:

Sean - 06-08-23 17:28:16.62
ComboFix 06.08.24 - Running from: C:\Program Files\Mozilla Firefox

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\WinNB58.dll
C:\WINDOWS\system32bez6n4r21.exe


((((((((((((((((((((((((((((((( Files Created from 2006-07-23 to 2006-08-23 ))))))))))))))))))))))))))))))))))


2006-08-16 00:37 213,072 --a------ C:\Qoofix.dll
2006-08-16 00:37 102,400 --a------ C:\Qoofix.exe
2006-08-15 10:45 102,420 --a------ C:\WINDOWS\system32\xvqnpxwl.dll
2006-08-14 14:53 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-08-14 14:49 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-14 14:49 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-08-12 15:18 56,832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2006-08-12 15:18 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-23 17:28 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-21 00:19 -------- d-------- C:\Documents and Settings\Sean\Application Data\Adobe
2006-08-18 15:22 -------- d-------- C:\Program Files\Common Files
2006-08-16 21:05 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-16 21:05 -------- d-------- C:\Program Files\Common Files\oouw
2006-08-16 19:24 -------- d-------- C:\Program Files\Webroot
2006-08-16 19:24 -------- d-------- C:\Documents and Settings\Sean\Application Data\Webroot
2006-08-16 00:40 -------- d-------- C:\Program Files\CleanUp!
2006-08-15 21:41 -------- d-------- C:\Program Files\Enigma Software Group
2006-08-15 06:14 -------- d-------- C:\Program Files\Internet Explorer
2006-08-14 17:51 -------- d-------- C:\Documents and Settings\Sean\Application Data\Lavasoft
2006-08-14 17:50 -------- d-------- C:\Program Files\Lavasoft
2006-08-14 15:31 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-14 15:31 -------- d-------- C:\Program Files\Windows NT
2006-08-14 14:33 -------- d-------- C:\Documents and Settings\Sean\Application Data\nView_Wallpaper
2006-08-12 15:29 -------- d-------- C:\Program Files\WinTV
2006-08-12 15:20 -------- d-------- C:\Documents and Settings\Sean\Application Data\Ulead Systems
2006-08-12 15:19 -------- d-------- C:\Program Files\SmartSound Software
2006-08-12 15:19 -------- d-------- C:\Program Files\Common Files\Ulead Systems
2006-08-12 15:18 -------- d-------- C:\Program Files\Intel
2006-08-12 15:17 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-12 15:17 -------- d-------- C:\Program Files\Windows Media Components
2006-08-12 15:16 -------- d-------- C:\Program Files\Ulead Systems
2006-08-12 15:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-08 18:33 -------- d-------- C:\Program Files\Winamp
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-18 15:23 -------- d-------- C:\Program Files\Creative
2006-07-18 01:06 -------- d---s---- C:\Documents and Settings\Sean\Application Data\Microsoft
2006-07-18 01:03 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-18 01:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-07 16:41 15360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-07-07 16:41 14848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-07-07 16:41 13824 --a------ C:\WINDOWS\system32\drivers\SSFS041A.sys
2006-07-07 16:41 117248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
@=""
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Beyond TV.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Beyond TV.lnk"
"backup"="C:\\WINDOWS\\pss\\Beyond TV.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SNAPST~1\\BEYOND~1\\BTVD3D~1.EXE "
"item"="Beyond TV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Cisco Systems VPN Client.lnk"
"backup"="C:\\WINDOWS\\pss\\Cisco Systems VPN Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CISCOS~1\\VPNCLI~1\\vpngui.exe \"-user_logon\""
"item"="Cisco Systems VPN Client"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nhftp.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\nhftp.exe"
"backup"="C:\\WINDOWS\\pss\\nhftp.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\nhftp.exe"
"item"="nhftp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CAS2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="System"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\System Files\\System.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dal01d86]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w010d2b3.dll,n 00301d8300000011010d2b3"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DeadAIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DeadAIM"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\Program Files\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrfh_10"
"hkey"="HKLM"
"command"="c:\\\\dfndrfh_10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Desktop Calendar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CanDesk"
"hkey"="HKLM"
"command"="C:\\Program Files\\Desktop Calendar\\CanDesk.exe 9"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DevconDefaultDB]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="READREG /PSCONV={NO} /NO_DEFPS /FAIL=1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\READREG /PSCONV={NO} /NO_DEFPS /FAIL=1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DkIcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdfh_10"
"hkey"="HKLM"
"command"="c:\\\\kybrdfh_10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="epvgy"
"hkey"="HKLM"
"command"="c:\\epvgy.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms0543935-5702]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms0543935-5702"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms0543935-5702.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms063935-57024]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ms063935-57024"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ms063935-57024.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmfh_10"
"hkey"="HKLM"
"command"="c:\\\\nwnmfh_10.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NwCplMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="redistributor"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\redistributor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\oouw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oouwm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\oouw\\oouwm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06apelt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thiselt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\thiselt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qoelk]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uassjv"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\uassjv.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RegiFast]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RFManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\RegiFast\\RFManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RelevantKnowledge]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rlvknlg"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\rlvknlg.exe -boot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\shell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibm00001"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\ibm00001.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpySheriff]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySheriff"
"hkey"="HKCU"
"command"="C:\\Program Files\\SpySheriff\\SpySheriff.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SysTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lbfh"
"hkey"="HKLM"
"command"="c:\\Program Files\\lbfh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MirarSetup_876075"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\MirarSetup_876075.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\trwkjt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uassjv"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\uassjv.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ttuzopiA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ttuzopiA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ttuzopiA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Updreg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\w0129ac1.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w0129ac1.dll,I2 00301d8300129ac1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winstall"
"hkey"="HKCU"
"command"="C:\\winstall.exe"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Completion time: Wed 08/23/2006 17:28:30.98
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

#14 pomp

pomp

    Malware Fighter


  • Members
  • 362 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Jersey Shore
  • Local time:07:18 PM

Posted 23 August 2006 - 06:13 PM

Hello.


Please go to start-run and type in notepad .. Copy and paste the following in the code box below, into notepad:

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^nhftp.exe]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ACTX1]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ad8rIU3s]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CAS2]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\dal01d86]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\defender]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\k6mmN5IOU]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\keyboard]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\loaddr]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms0543935-5702]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ms063935-57024]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\newname]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\oouw]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06ap]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06apelt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\qoelk]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RelevantKnowledge]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ToolbarInstall]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\trwkjt]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ttuzopiA]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\w0129ac1.dll]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]

In notepad go to File-save as .. Save as: All Files .. name it: fix.reg .. Save it to the desktop...
Double click on fix.reg and when it asks to merge into the registry, let it.

Restart your computer.

Please now scan with combofix.

Please also do this:
Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Along with the uninstall_list, post the combofix log.

We are almost there! ;)


My help in removing spyware is free, but if you'd like to donate: Donate



PLEASE DON'T PM ME OR EMAIL ME WITH HELP ON LOGS :). POST IN THE FORUM INSTEAD


#15 Steel-Spevenburg

Steel-Spevenburg
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:06:18 PM

Posted 25 August 2006 - 04:56 PM

ComboFix Log:

Sean - 06-08-25 16:50:03.59
ComboFix 06.08.24 - Running from: C:\Documents and Settings\Sean\Desktop

((((((((((((((((((((((((((((((( Files Created from 2006-07-25 to 2006-08-25 ))))))))))))))))))))))))))))))))))


2006-08-16 00:37 213,072 --a------ C:\Qoofix.dll
2006-08-16 00:37 102,400 --a------ C:\Qoofix.exe
2006-08-15 10:45 102,420 --a------ C:\WINDOWS\system32\xvqnpxwl.dll
2006-08-14 14:53 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-08-14 14:49 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-08-14 14:49 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-08-12 15:18 56,832 --a------ C:\WINDOWS\system32\Iyvu9_32.dll
2006-08-12 15:18 144,384 --a------ C:\WINDOWS\system32\Iacenc.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-24 18:35 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-24 18:35 -------- d-------- C:\Program Files\QuickTime
2006-08-23 23:18 -------- d---s---- C:\Documents and Settings\Sean\Application Data\Microsoft
2006-08-23 17:28 -------- d-------- C:\Program Files\Mozilla Firefox
2006-08-21 00:19 -------- d-------- C:\Documents and Settings\Sean\Application Data\Adobe
2006-08-18 15:22 -------- d-------- C:\Program Files\Common Files
2006-08-16 21:05 -------- d-------- C:\Program Files\MSN Gaming Zone
2006-08-16 21:05 -------- d-------- C:\Program Files\Common Files\oouw
2006-08-16 19:24 -------- d-------- C:\Program Files\Webroot
2006-08-16 19:24 -------- d-------- C:\Documents and Settings\Sean\Application Data\Webroot
2006-08-16 00:40 -------- d-------- C:\Program Files\CleanUp!
2006-08-15 21:41 -------- d-------- C:\Program Files\Enigma Software Group
2006-08-15 06:14 -------- d-------- C:\Program Files\Internet Explorer
2006-08-14 17:51 -------- d-------- C:\Documents and Settings\Sean\Application Data\Lavasoft
2006-08-14 17:50 -------- d-------- C:\Program Files\Lavasoft
2006-08-14 15:31 -------- d--h----- C:\Program Files\WindowsUpdate
2006-08-14 15:31 -------- d-------- C:\Program Files\Windows NT
2006-08-14 14:33 -------- d-------- C:\Documents and Settings\Sean\Application Data\nView_Wallpaper
2006-08-12 15:29 -------- d-------- C:\Program Files\WinTV
2006-08-12 15:20 -------- d-------- C:\Documents and Settings\Sean\Application Data\Ulead Systems
2006-08-12 15:19 -------- d-------- C:\Program Files\SmartSound Software
2006-08-12 15:19 -------- d-------- C:\Program Files\Common Files\Ulead Systems
2006-08-12 15:18 -------- d-------- C:\Program Files\Intel
2006-08-12 15:17 -------- d-------- C:\Program Files\Windows Media Components
2006-08-12 15:16 -------- d-------- C:\Program Files\Ulead Systems
2006-08-12 15:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-08-08 18:33 -------- d-------- C:\Program Files\Winamp
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-18 15:23 -------- d-------- C:\Program Files\Creative
2006-07-18 01:03 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-18 01:03 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-07 16:41 15360 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2006-07-07 16:41 14848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2006-07-07 16:41 13824 --a------ C:\WINDOWS\system32\drivers\SSFS041A.sys
2006-07-07 16:41 117248 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="\"RUNDLL32.EXE\" C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=hex:5f,00,00,00
@=""
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e4,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Beyond TV.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Beyond TV.lnk"
"backup"="C:\\WINDOWS\\pss\\Beyond TV.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\SNAPST~1\\BEYOND~1\\BTVD3D~1.EXE "
"item"="Beyond TV"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Cisco Systems VPN Client.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Cisco Systems VPN Client.lnk"
"backup"="C:\\WINDOWS\\pss\\Cisco Systems VPN Client.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\CISCOS~1\\VPNCLI~1\\vpngui.exe \"-user_logon\""
"item"="Cisco Systems VPN Client"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\CTHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CTHELPER"
"hkey"="HKLM"
"command"="CTHELPER.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DeadAIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DeadAIM"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\Program Files\\AIM\\\\DeadAIM.ocm\",ExportedCheckODLs"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Desktop Calendar]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="CanDesk"
"hkey"="HKLM"
"command"="C:\\Program Files\\Desktop Calendar\\CanDesk.exe 9"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DevconDefaultDB]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="READREG /PSCONV={NO} /NO_DEFPS /FAIL=1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\READREG /PSCONV={NO} /NO_DEFPS /FAIL=1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiskeeperSystray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DkIcon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Executive Software\\Diskeeper\\DkIcon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Jet Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADGJDet"
"hkey"="HKLM"
"command"="C:\\Program Files\\Creative\\SBAudigy\\PROGRAM\\ADGJDet.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\Common Framework\\UpdaterUI.exe\" /StartedFromRunKey"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NEWDOT~2"
"hkey"="HKLM"
"command"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NwCplMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="redistributor"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\redistributor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RegiFast]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RFManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\RegiFast\\RFManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\shell]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ibm00001"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Microsoft Shared\\Web Folders\\ibm00001.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Network Associates\\VirusScan\\SHSTAT.EXE\" /STANDALONE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SpySheriff]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySheriff"
"hkey"="HKCU"
"command"="C:\\Program Files\\SpySheriff\\SpySheriff.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_05\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SysTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="lbfh"
"hkey"="HKLM"
"command"="c:\\Program Files\\lbfh.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Updreg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Updreg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Windows installer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winstall"
"hkey"="HKCU"
"command"="C:\\winstall.exe"
"inimapping"="0"


HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

Completion time: Fri 08/25/2006 16:51:05.50
ComboFix.txt
ComboFix2.txt
ComboFix3.txt


Uninstall List:

Ableton Live v3.0
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Photoshop CS
Adobe Reader 7.0.5
Adobe® Photoshop® Album Starter Edition 3.0
Antares Autotune DX v4.12
AOL Instant Messenger
Ares 1.8.7
Band-in-a-Box 2005
BitPim 0.8.08
BitTorrent 4.0.4
CleanUp!
Creative PlayCenter
Creative Recorder
DeadAIM
Google Earth
HijackThis 1.99.1
Impulse Modeler 1.8
Indeo® software
IToolsUtilitySuite_2005
iTunes
J2SE Runtime Environment 5.0 Update 1
J2SE Runtime Environment 5.0 Update 5
LimeWire 4.9.37
Live 5.0.1
Macromedia Dreamweaver MX 2004
Macromedia Extension Manager
Macromedia Flash MX 2004
Macromedia Flash Player 8
McAfee VirusScan Enterprise
Microsoft .NET Framework 1.1
Microsoft Office Professional Edition 2003
mIRC
Mozilla Firefox (1.0.7)
Mozilla Thunderbird (1.0.7)
MSXML 4.0 SP2 Parser and SDK
Multitrack Stopwatch
Nero 7 Demo
NoteWorthy Composer
NVIDIA Drivers
PG Music DirectX Plugins 1.3.3.1
QPST
QuickTime
RealPlayer
Reason 3.0.4
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893066)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917537)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
sfArk
SmartSound Quicktracks Plugin
Sony Sound Forge 7.0
Sound Blaster Audigy
Spy Sweeper
Syncrosoft's License Control
Timershot Powertoy for Windows XP
Tweak UI
Ulead VideoStudio 9.0
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Viewpoint Media Player
Voxengo Crunchessor VST 1.7
Voxengo Elephant VST 2.4
Voxengo Pristine Space VST 1.5
Voxengo Redunoise VST 1.4
Voxengo Soniformer VST 2.4.1
Voxengo Voxformer VST 1.6
VPN Client
Winamp (remove only)
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
WinZip






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users