Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Need Some Help, Please.


  • Please log in to reply
13 replies to this topic

#1 Kittrell

Kittrell

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 07 September 2006 - 02:31 PM

It would appear there are plenty more things out now that just a simple cleanup program (Spybot, etc.) cannot get rid of on their own. I downloaded hijackthis and here is the log below. Please, help me. I want my computer back. The only processes I want running are the base-level required ones. Even the safe processes that are not malware I would like to get out of the background; I rarely use any of them anyway.

Logfile of HijackThis v1.99.1
Scan saved at 2:14:37 PM, on 9/7/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\system32\d98dd1d2.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\perzum.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\PowerZip 7.0\PowerZip.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\PowerZip.tmp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pctoesb.exe
O2 - BHO: (no name) - {0257C40D-64FF-E5CF-DEAD-08C3ECB94D65} - C:\WINDOWS\system32\fypkqbk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsr66.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsy6.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [d98dd1d2.exe] C:\WINDOWS\system32\d98dd1d2.exe
O4 - HKLM\..\Run: [oudxbsc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\oudxbsc.dll,hzxtqhe
O4 - HKLM\..\Run: [ControlPanel] C:\WINDOWS\system32\perzum.exe internat.dll,LoadKeyboardProfile
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [d98dd1d2.exe] C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\d98dd1d2.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157332979718
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

BC AdBot (Login to Remove)

 


#2 Kittrell

Kittrell
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 07 September 2006 - 02:39 PM

This is my GMER rootkit log, as well, though I did not run it in safe mode. Do I need to run this in safe mode?

GMER 1.0.10.10122 - http://www.gmer.net
Rootkit 2006-09-07 14:36:46
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.10 ----

SSDT sptd.sys ZwEnumerateKey
SSDT sptd.sys ZwEnumerateValueKey

---- Devices - GMER 1.0.10 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE 85986BF8

---- EOF - GMER 1.0.10 ----

#3 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:07 AM

Posted 07 September 2006 - 04:33 PM

Ok, quite some problems :thumbsup: I need you to follow my advices exactly so you don't get reinfected.

Please download Combofix: http://download.bleepingcomputer.com/sUBs/combofix.exe
and save to the desktop.

1. Double click on combo.exe & follow the prompts.
2. When finished, it will produce a logfile located at C:\ComboFix.txt.
3. Post the contents of that log in your next reply with a new hijackthis log.

Notes:
* Do not mouseclick combofix's window while it is running. That may cause your system to stall/hang.
* Do not proceed with the rest of the fix if you fail to run combofix
* Disable script blocking if you have NAV installed so it will not interfere with the fix. Trojan Hunter has been reported to detect combofix as Worm.Qiv.100.

Download and scan with CCleaner
1. Before first use, select Options > Advanced and UNCHECK "Only delete files in Windows Temp folder older than 48 hours"
2. Then select the items you wish to clean up.

In the Windows Tab:
Clean all entries in the "Internet Explorer" section except Cookies.
Clean all the entries in the "Windows Explorer" section.
Clean all entries in the "System" section.
Clean all entries in the "Advanced" section.
Clean any others that you choose.


In the Applications Tab:
Clean all except cookies in the Firefox/Mozilla section if you use it.
Clean all in the Opera section if you use it.
Clean Sun Java in the Internet Section.
Clean any others that you choose.

3. Click the "Run Cleaner" button.
4. A pop up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Step 1: Download and install Ewido Anti-Spyware v4.0
1. After download, double click on the file to launch the install process.
2. Choose a language, click "OK" and then click "Next".
3. Read the "License Agreement" and click "I Agree".
4. Accept default installation path: C:\Program Files\ewido anti-spyware 4.0, click "Next", then click "Install".
5. After setup completes, click "Finish" to start the program automatically or launch ewido by double-clicking its icon on your desktop or in the system tray.
6. The main "Status" menu will appear. Select "Change state" to inactivate 'Resident Shield' and 'Automatic Updates'.
7. Then right click on ewdio in the system tray and uncheck "Start with Windows".
8. Go to Start > Run and type: services.msc
  • Press "OK".
  • Click the "Extended tab" and scroll down the list to find ewido anti-spyware 4.0 guard.
  • When you find the guard service, double-click on it.
  • In the Properties Window > General Tab that opens, click the "Stop" button.
  • From the drop-down menu next to "Startup Type", click on "Manual".
  • Now click "Apply", then "OK" and close the Services window.
9. Select the "Update" button and click "Start update". If you are having problems with the updater, manually update with the Ewido Full database installer from here. Exit Ewido when done - DO NOT perform a scan yet.

Step 2: Reboot your computer in SAFE MODE" using the F8 method. To do this, restart your computer and after hearing your computer beep once during startup [but before the Windows icon appears] press the F8 key repeatedly. A menu will appear with several options. Use the arrow keys to navigate and select the option to run Windows in "Safe Mode".

Step 3: Scan with Ewido as follows:
1. Launch Ewido, click on the "Scanner" button and choose the "Settings" tab.
  • Under "How to act?", click on "Recommended actions" and choose "Quarantine" to set default action for detected malware.
  • Under "How to Scan?" check all (default).
  • Under "Possibly unwanted software" check all (default).
  • Under "What to Scan?" make sure "Scan every file" is selected (default).
  • Under "Reports" select "Automatically generate report after every scan and UNcheck "Only if threats were found".
2. Click the "Scan" tab to return to scanning options.
3. Click "Complete System Scan" to start.
4. When the scan has finished you will be presented with a list of infected objects found. Click "Apply all actions" to place the files in Quarantine.

IMPORTANT! Do not save the report before you have clicked the Apply all actions button. If you do, the log that is created will indicate "No action taken", making it more difficult to interpret the report. So be sure you save it only AFTER clicking the "Apply all actions" button?

5. Click on "Save Report" to view all completed scans. Click on the most recent scan you just performed and select "Save report as" - the default file name will be in date/time format as follows: Report-Scan-20060620-142816.txt. Save to your desktop. A copy of each report will also be saved in C:\Program Files\ewido anti-spyware 4.0\Reports\
6. Exit Ewido when done and submit the log report in your next response.

[color=green]Note: Close all open windows, programs, and DO NOT USE the computer while Ewido is scanning. If Explorer or other programs are open during the scan that means certain files will also be in use. Some malware will insert itself and hide in areas that are "protected" by Windows when the files are being used. This can hamper Ewido's ability to clean properly and may result in reinfection.

Note: If Ewido "crashes" or "hangs" during the scan, try scanning again by doing this:
1. Scan one sector of the system at a time by using the "Custom Scan" feature. To do this select Scanner > Custom Scan and click on Add drive/directory/file. Browse to C:\Windows > System, add this folder to the list and click on "Start Scan". When the scan is complete, repeat the Custom Scan but this time, browse to and add the System32 folder. Then keep repeating this procedure until all your folders have been scanned. Make sure you include the Documents & Settings folder.

2. If this still does not help, then turn the ADS scanner off while making a Custom Scan. To do this select Scanner > Scan Settings and untick "Scan in NTFS Alternate Data Streams". Then repeat the steps above for performing a Custom Scan.

Don't forget to submit both logs : from combofix and ewido! also post a new hijackthis log in your next reply

#4 Kittrell

Kittrell
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 08 September 2006 - 06:08 AM

Sorry, a little short on time. Gonna just drop the logs and head to work:

Combofix:
HP_Administrator - 06-09-07 16:37:53.53
ComboFix 06.09.07 - Running from: C:\Documents and Settings\HP_Administrator\Desktop

Microsoft Windows XP [Version 5.1.2600]

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\cloudsim.exe


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\Duce6.exe
C:\WINDOWS\system32\adrot-uninst.exe
C:\WINDOWS\justin.exe
C:\WINDOWS\thiselt.exe
C:\WINDOWS\uninst104.exe


((((((((((((((((((((((((((((((( Files Created from 2006-08-07 to 2006-09-07 ))))))))))))))))))))))))))))))))))


2006-09-03 20:34 23,040 --------- C:\WINDOWS\kb913800.exe
2006-09-03 20:23 18,200 --a------ C:\WINDOWS\system32\wups2.dll
2006-09-01 20:57 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2006-08-30 11:05 80,384 --a------ C:\WINDOWS\system32\nsy6.dll
2006-08-28 17:02 94,720 --a------ C:\WINDOWS\system32\oudxbsc.dll
2006-08-28 17:02 72,704 --a------ C:\WINDOWS\system32\fypkqbk.dll
2006-08-28 16:40 674,634 --a------ C:\WINDOWS\unins001.exe
2006-08-27 20:00 20,992 --a------ C:\WINDOWS\system32\d98dd1d2.exe
2006-08-23 00:31 50,688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-08-23 00:31 5,906,432 --------- C:\WINDOWS\system32\ieframe.dll
2006-08-23 00:31 457,728 --------- C:\WINDOWS\system32\msfeeds.dll
2006-08-23 00:31 175,616 --------- C:\WINDOWS\system32\ieui.dll
2006-08-23 00:18 206,336 --------- C:\WINDOWS\system32\WinFXDocObj.exe
2006-08-23 00:13 11,776 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-08-23 00:11 12,288 --------- C:\WINDOWS\system32\msfeedssync.exe
2006-08-23 00:10 61,440 --------- C:\WINDOWS\system32\icardie.dll
2006-08-23 00:09 262,656 --------- C:\WINDOWS\system32\iertutil.dll
2006-08-22 23:36 380,928 --------- C:\WINDOWS\system32\ieapfltr.dll
2006-08-22 19:42 13,312 --a------ C:\WINDOWS\system32\dial23.exe
2006-08-22 19:39 6,421 --a------ C:\WINDOWS\system32\perzum.exe
2006-08-22 19:39 6,176 --a------ C:\WINDOWS\system32\t1t.exe
2006-08-21 09:47 58,880 --a------ C:\WINDOWS\system32\adrotate.dll
2006-08-21 00:32 32,955 --a------ C:\WINDOWS\system32\uninstIcn.exe
2006-08-21 00:29 61,952 --a------ C:\WINDOWS\system32\ccd4dd53.dll
2006-08-21 00:29 214,748 --a------ C:\WINDOWS\Setup90.exe
2006-08-21 00:29 2,560 --a------ C:\WINDOWS\ac3_0002.exe
2006-08-21 00:29 1,167 --a------ C:\WINDOWS\system32\ccd4dd53.sys
2006-08-17 09:40 79,360 --a------ C:\WINDOWS\system32\nsr66.dll
2006-08-11 11:05 155,648 --a------ C:\WINDOWS\sys09295153161.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-09-07 14:21 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-07 00:19 -------- d-------- C:\Program Files\XoftSpy
2006-09-04 21:34 -------- d-------- C:\Program Files\Windows Media Player
2006-09-04 21:34 -------- d-------- C:\Program Files\Windows Media Connect 2
2006-09-03 20:55 -------- d-------- C:\Program Files\Outlook Express
2006-09-03 20:55 -------- d-------- C:\Program Files\Common Files\System
2006-09-03 20:04 -------- d-------- C:\Program Files\Crazy Browser
2006-09-03 00:43 -------- d-------- C:\Program Files\eMule
2006-09-02 22:45 -------- d-------- C:\Program Files\Lavasoft
2006-09-02 22:45 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\Lavasoft
2006-09-01 21:14 -------- d-------- C:\Program Files\Internet Explorer
2006-08-29 11:22 -------- d-------- C:\Program Files\Trillian
2006-08-28 16:40 -------- d-------- C:\Program Files\EGOSOFT
2006-08-24 22:42 8704 --a------ C:\WINDOWS\system32\wdfmgr.exe
2006-08-24 22:42 8704 --a------ C:\WINDOWS\system32\uwdf.exe
2006-08-24 22:30 99840 --a------ C:\WINDOWS\system32\wmpshell.dll
2006-08-24 22:30 990208 --a------ C:\WINDOWS\system32\drmv2clt.dll
2006-08-24 22:30 937984 --a------ C:\WINDOWS\system32\WMNetMgr.dll
2006-08-24 22:30 8337920 --a------ C:\WINDOWS\system32\wmploc.dll
2006-08-24 22:30 790016 --------- C:\WINDOWS\system32\WMVSENCD.dll
2006-08-24 22:30 757248 --a------ C:\WINDOWS\system32\WMADMOD.dll
2006-08-24 22:30 7168 --a------ C:\WINDOWS\system32\asferror.dll
2006-08-24 22:30 656896 --a------ C:\WINDOWS\system32\WMVXENCD.dll
2006-08-24 22:30 63488 --a------ C:\WINDOWS\system32\wpdmtpus.dll
2006-08-24 22:30 629760 --a------ C:\WINDOWS\system32\wpd_ci.dll
2006-08-24 22:30 611840 --------- C:\WINDOWS\system32\wmpmde.dll
2006-08-24 22:30 603648 --a------ C:\WINDOWS\system32\WMSPDMOD.dll
2006-08-24 22:30 537600 --a------ C:\WINDOWS\system32\blackbox.dll
2006-08-24 22:30 532992 --a------ C:\WINDOWS\system32\wmdrmsdk.dll
2006-08-24 22:30 428032 --a------ C:\WINDOWS\system32\wmdrmdev.dll
2006-08-24 22:30 414208 --a------ C:\WINDOWS\system32\msscp.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmvdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmvdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\WMVADVE.DLL
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\WMVADVD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmsdmoe2.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wmsdmod.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\wdfapi.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MPG4DMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MP4SDMOD.dll
2006-08-24 22:30 4096 --a------ C:\WINDOWS\system32\MP43DMOD.dll
2006-08-24 22:30 37376 --a------ C:\WINDOWS\system32\wmdmps.dll
2006-08-24 22:30 35840 --a------ C:\WINDOWS\system32\wpdconns.dll
2006-08-24 22:30 349184 --a------ C:\WINDOWS\system32\wpdsp.dll
2006-08-24 22:30 347648 --a------ C:\WINDOWS\system32\wmdrmnet.dll
2006-08-24 22:30 33792 --a------ C:\WINDOWS\system32\wmdmlog.dll
2006-08-24 22:30 320512 --a------ C:\WINDOWS\system32\mswmdm.dll
2006-08-24 22:30 316928 --------- C:\WINDOWS\system32\MP4SDECD.dll
2006-08-24 22:30 314368 --a------ C:\WINDOWS\system32\wmpdxm.dll
2006-08-24 22:30 305152 --------- C:\WINDOWS\system32\MSDelta.dll
2006-08-24 22:30 295424 --------- C:\WINDOWS\system32\wmpeffects.dll
2006-08-24 22:30 284160 --a------ C:\WINDOWS\system32\PortableDeviceApi.dll
2006-08-24 22:30 276480 --a------ C:\WINDOWS\system32\audiodev.dll
2006-08-24 22:30 27648 --a------ C:\WINDOWS\system32\mspmsnsv.dll
2006-08-24 22:30 259072 --------- C:\WINDOWS\system32\MPG4DECD.dll
2006-08-24 22:30 2589184 --------- C:\WINDOWS\system32\WpdShext.dll
2006-08-24 22:30 258560 --------- C:\WINDOWS\system32\MP43DECD.dll
2006-08-24 22:30 2450944 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-08-24 22:30 242176 --a------ C:\WINDOWS\system32\wmpasf.dll
2006-08-24 22:30 228352 --a------ C:\WINDOWS\system32\cewmdm.dll
2006-08-24 22:30 227328 --a------ C:\WINDOWS\system32\wmerror.dll
2006-08-24 22:30 222208 --a------ C:\WINDOWS\system32\WMASF.dll
2006-08-24 22:30 211968 --a------ C:\WINDOWS\system32\MFPLAT.dll
2006-08-24 22:30 210432 --a------ C:\WINDOWS\system32\qasf.dll
2006-08-24 22:30 204800 --a------ C:\WINDOWS\system32\wmpsrcwp.dll
2006-08-24 22:30 198144 --------- C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-08-24 22:30 179712 --a------ C:\WINDOWS\system32\msnetobj.dll
2006-08-24 22:30 175104 --a------ C:\WINDOWS\system32\mspmsp.dll
2006-08-24 22:30 166912 --a------ C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-08-24 22:30 1660416 --a------ C:\WINDOWS\system32\wmpencen.dll
2006-08-24 22:30 157184 --a------ C:\WINDOWS\system32\wmidx.dll
2006-08-24 22:30 154624 --a------ C:\WINDOWS\system32\wpdmtp.dll
2006-08-24 22:30 1539584 --a------ C:\WINDOWS\system32\WMVDECOD.dll
2006-08-24 22:30 1532416 --a------ C:\WINDOWS\system32\WMVENCOD.dll
2006-08-24 22:30 1392128 --------- C:\WINDOWS\system32\WMVSDECD.dll
2006-08-24 22:30 133120 --a------ C:\WINDOWS\system32\WPDShServiceObj.dll
2006-08-24 22:30 1327616 --a------ C:\WINDOWS\system32\WMSPDMOE.dll
2006-08-24 22:30 132096 --------- C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-08-24 22:30 130048 --------- C:\WINDOWS\system32\wmpps.dll
2006-08-24 22:30 11264 --a------ C:\WINDOWS\system32\LAPRXY.dll
2006-08-24 22:30 1118208 --a------ C:\WINDOWS\system32\WMADMOE.dll
2006-08-24 22:30 101888 --------- C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-08-24 20:31 100864 --a------ C:\WINDOWS\system32\logagent.exe
2006-08-24 20:27 249344 --a------ C:\WINDOWS\system32\drmupgds.exe
2006-08-24 20:26 95288 --------- C:\WINDOWS\system32\WUDFCoinstaller.dll
2006-08-24 20:26 38656 --a------ C:\WINDOWS\system32\drivers\wpdusb.sys
2006-08-24 20:26 17408 --------- C:\WINDOWS\system32\wpdshextautoplay.exe
2006-08-24 19:22 90112 --------- C:\WINDOWS\system32\drivers\WudfRd.sys
2006-08-24 19:19 316416 --------- C:\WINDOWS\system32\WUDFx.dll
2006-08-24 19:19 145920 --------- C:\WINDOWS\system32\WudfHost.exe
2006-08-24 19:18 84864 --------- C:\WINDOWS\system32\drivers\WudfPf.sys
2006-08-24 19:18 56320 --------- C:\WINDOWS\system32\WudfSvc.dll
2006-08-24 19:18 168448 --------- C:\WINDOWS\system32\WudfPlatform.dll
2006-08-23 00:31 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-08-23 00:31 225792 --a------ C:\WINDOWS\system32\webcheck.dll
2006-08-23 00:31 152064 --a------ C:\WINDOWS\system32\msls31.dll
2006-08-23 00:18 78336 --a------ C:\WINDOWS\system32\ieencode.dll
2006-08-23 00:17 40448 --a------ C:\WINDOWS\system32\licmgr10.dll
2006-08-23 00:17 105472 --a------ C:\WINDOWS\system32\url.dll
2006-08-23 00:17 100352 --a------ C:\WINDOWS\system32\occache.dll
2006-08-23 00:16 16896 --a------ C:\WINDOWS\system32\corpol.dll
2006-08-23 00:14 378368 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-08-23 00:14 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-08-23 00:13 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-08-23 00:13 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-08-23 00:13 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-08-23 00:13 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-08-23 00:13 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-08-23 00:13 122880 --a------ C:\WINDOWS\system32\advpack.dll
2006-08-23 00:10 35328 --a------ C:\WINDOWS\system32\imgutil.dll
2006-08-23 00:07 45568 --a------ C:\WINDOWS\system32\mshta.exe
2006-08-22 23:37 48128 --a------ C:\WINDOWS\system32\mshtmler.dll
2006-08-22 23:30 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-08-21 00:32 0 --a------ C:\Documents and Settings\HP_Administrator\Application Data\internaldb41.dat
2006-08-20 18:08 -------- d-------- C:\Program Files\Ultima Online 3D
2006-08-19 01:40 -------- d-------- C:\Program Files\PrintView
2006-08-17 18:33 -------- d-------- C:\Program Files\Symantec
2006-08-11 20:14 22752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-08-08 18:48 -------- d-------- C:\Program Files\Alcohol 120
2006-08-03 02:24 59904 --a------ C:\WINDOWS\system32\comcap16.dll
2006-08-02 17:31 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\AdobeUM
2006-08-02 16:49 -------- d-------- C:\Program Files\Windows NT
2006-07-31 03:00 -------- d-------- C:\Program Files\GemMaster
2006-07-28 19:12 -------- d-------- C:\Program Files\Quicken
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-17 02:49 -------- d-------- C:\Program Files\Microsoft Visual Studio
2006-07-17 02:48 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-07-13 19:38 389120 --a------ C:\WINDOWS\system32\nodeipproc.dll
2006-07-08 01:47 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2006-07-08 01:46 -------- d-------- C:\Program Files\Railroad Tycoon 3
2006-07-08 01:09 34308 --a------ C:\WINDOWS\system32\BASSMOD.dll
2006-07-08 00:53 -------- d-------- C:\Program Files\Activision
2006-07-07 03:14 -------- d-------- C:\Documents and Settings\HP_Administrator\Application Data\OpenOffice.org2
2006-06-29 08:05 26112 --------- C:\WINDOWS\system32\idndl.dll
2006-06-29 08:05 23552 --------- C:\WINDOWS\system32\normaliz.dll
2006-06-28 17:59 24576 --------- C:\WINDOWS\system32\nlsdl.dll
2006-06-19 13:38 53248 --a------ C:\WINDOWS\uni_ehhhh.exe
2006-06-15 16:38 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-06-09 13:18 9 --a------ C:\WINDOWS\system32\sysddswa2.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d98dd1d2.exe"="C:\\WINDOWS\\system32\\d98dd1d2.exe"
"oudxbsc.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\oudxbsc.dll,hzxtqhe"
"ControlPanel"="C:\\WINDOWS\\system32\\perzum.exe internat.dll,LoadKeyboardProfile"
"adstart"="\"iexplore.exe\" \"http://iesettingsupdate\""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"d98dd1d2.exe"="C:\\Documents and Settings\\HP_Administrator\\Local Settings\\Application Data\\d98dd1d2.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"InstallVisualStyle"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,\
63,65,73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,5c,52,6f,79,61,6c,65,2e,\
6d,73,73,74,79,6c,65,73,00
"InstallTheme"=hex(2):43,3a,5c,57,49,4e,44,4f,57,53,5c,52,65,73,6f,75,72,63,65,\
73,5c,54,68,65,6d,65,73,5c,52,6f,79,61,6c,65,2e,74,68,65,6d,65,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^gfiha.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gfiha.exe"
"backup"="C:\\WINDOWS\\pss\\gfiha.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\gfiha.exe"
"item"="gfiha"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\HP Digital Imaging Monitor.lnk"
"backup"="C:\\WINDOWS\\pss\\HP Digital Imaging Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Updates from HP.lnk"
"backup"="C:\\WINDOWS\\pss\\Updates from HP.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UPDATE~1\\9972322\\Program\\UPDATE~1.EXE -startup"
"item"="Updates from HP"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^Adobe Gamma.lnk]
"path"="C:\\Documents and Settings\\HP_Administrator\\Start Menu\\Programs\\Startup\\Adobe Gamma.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^HP_Administrator^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
"path"="C:\\Documents and Settings\\HP_Administrator\\Start Menu\\Programs\\Startup\\OpenOffice.org 2.0.lnk"
"backup"="C:\\WINDOWS\\pss\\OpenOffice.org 2.0.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\OPENOF~1.0\\program\\QUICKS~1.EXE "
"item"="OpenOffice.org 2.0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\adstart]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="\"iexplore"
"hkey"="HKLM"
"command"="\"iexplore.exe\" \"http://iesettingsupdate\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AlwaysReady Power Message APP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ARPWRMSG"
"hkey"="HKLM"
"command"="ARPWRMSG.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Anti-Blaxx Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Anti-Blaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\Anti-Blaxx 1.18\\Anti-Blaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccApp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccApp"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ccd4dd53]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w15d3798.dll,n 0034dd500000000215d3798"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ControlPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="perzum"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\perzum.exe internat.dll,LoadKeyboardProfile"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DISCover]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DISCover"
"hkey"="HKLM"
"command"="C:\\Program Files\\DISC\\DISCover.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\DiscUpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DiscUpdateMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\DISC\\DiscUpdateMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ehTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ehtray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ehome\\ehtray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HP Software Update]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPwuSchd2"
"hkey"="HKLM"
"command"="C:\\Program Files\\HP\\HP Software Update\\HPwuSchd2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HPBootOp]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="HPBootOp"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Hewlett-Packard\\HP Boot Optimizer\\HPBootOp.exe\" /run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HPHUPD08]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hphupd08"
"hkey"="HKLM"
"command"="c:\\Program Files\\HP\\Digital Imaging\\{33D6CC28-9F75-4d1b-A11D-98895B3A3729}\\hphupd08.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IcoSet]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="adjust"
"hkey"="HKLM"
"command"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\IcoSet\\adjust.bat seticon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\irssyncd]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="irssyncd"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\irssyncd.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\IS CfgWiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfgwiz"
"hkey"="HKLM"
"command"="c:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\klhyu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oxvgtn"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\oxvgtn.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\noaxsl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="oxvgtn"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\oxvgtn.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nodeipproc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nodeipproc"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\nodeipproc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\PCDrProfiler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunProfiler"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\PC-Doctor 5 for Windows\\RunProfiler.exe\" -r"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06ap]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pop06ap2"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\pop06ap2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\pop06apelt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="thiselt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\thiselt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\Scbu]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dexplore"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\WNSXS~1\\dexplore.exe\" -vt mt"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SSC_UserPrompt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UsrPrmpt"
"hkey"="HKLM"
"command"="c:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sys09295153161]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys09295153161"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys09295153161.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TheMonitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Duce6"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\Duce6.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\updateMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AdobeUpdateManager"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_7 -reboot 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\URLLSTCK.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UrlLstCk"
"hkey"="HKLM"
"command"="c:\\Program Files\\Norton Internet Security\\UrlLstCk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\xload]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="xload"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\xload.exe\""
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Symantec NetDetect.job
C:\WINDOWS\tasks\Warranty Reminder 11 Months.job

Completion time: Thu 09/07/2006 16:44:27.60
ComboFix.txt






***

Ewido:
---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:40:22 AM 9/8/2006

+ Scan result:



C:\WINDOWS\system32\nodeipproc.dll -> Adware.BHO : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nsy6.dll -> Adware.EZula : Cleaned with backup (quarantined).
C:\WINDOWS\em.ocx -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\up9.exe -> Adware.MediaMotor : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nsr66.dll -> Adware.SideFind : Cleaned with backup (quarantined).
C:\Program Files\Alcohol Soft\Alcohol 120% Toolbar\a120_tb.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\WINDOWS\system32\adrotate.dll -> Adware.TrafficSol : Cleaned with backup (quarantined).
C:\Downloads\Game Files\RnR_JEOPARDY!_Setup-dm.exe -> Adware.Trymedia : Cleaned with backup (quarantined).
C:\WINDOWS\SET6E.tmp -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\Program Files\eMule\Incoming\o1~temp\characterfx v1.3.4.zip/characterfx v1.3.4.exe -> Downloader.Bagle.ak : Cleaned with backup (quarantined).
C:\WINDOWS\system32\comcap16.dll -> Downloader.Bomka.r : Cleaned with backup (quarantined).
C:\WINDOWS\system32\perzum.exe -> Downloader.Delf.aco : Cleaned with backup (quarantined).
C:\WINDOWS\pss\gfiha.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\system32\ccd4dd53.dll -> Downloader.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\t1t.exe -> Downloader.Small.awa : Cleaned with backup (quarantined).
C:\WINDOWS\ac3_0002.exe -> Downloader.Small.cyh : Cleaned with backup (quarantined).
C:\WINDOWS\sys09295153161.exe -> Downloader.VB.tw : Cleaned with backup (quarantined).
C:\WINDOWS\xload.exe -> Downloader.VB.wz : Cleaned with backup (quarantined).
C:\mx.exe -> Hijacker.VB.lb : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wexdin.exe -> Logger.VB.eh : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\CONFLICT.1\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\WINDOWS\Downloaded Program Files\USDR6_0001_D08M0404NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
:mozilla.40:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.41:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned with backup (quarantined).
:mozilla.10:C:\Documents and Settings\HP_Administrator\Application Data\Netscape\NSB\Profiles\ox2dnl7m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.11:C:\Documents and Settings\HP_Administrator\Application Data\Netscape\NSB\Profiles\ox2dnl7m.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.239:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.268:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.289:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.292:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.42:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.43:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@maxis.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned with backup (quarantined).
:mozilla.442:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.74:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.75:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
:mozilla.76:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@rotator.adjuggler[2].txt -> TrackingCookie.Adjuggler : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@admarketplace[1].txt -> TrackingCookie.Admarketplace : Cleaned with backup (quarantined).
:mozilla.503:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.504:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.505:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.506:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.507:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.82:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned with backup (quarantined).
:mozilla.87:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
:mozilla.88:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Adtech : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.adtrak[1].txt -> TrackingCookie.Adtrak : Cleaned with backup (quarantined).
:mozilla.13:C:\Documents and Settings\HP_Administrator\Application Data\Netscape\NSB\Profiles\ox2dnl7m.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.14:C:\Documents and Settings\HP_Administrator\Application Data\Netscape\NSB\Profiles\ox2dnl7m.default\cookies.txt -> TrackingCookie.Advertising : Cleaned with backup (quarantined).
:mozilla.18:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned with backup (quarantined).
:mozilla.474:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.475:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.476:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.477:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned with backup (quarantined).
:mozilla.545:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.burstbeacon[2].txt -> TrackingCookie.Burstbeacon : Cleaned with backup (quarantined).
:mozilla.119:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
:mozilla.546:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www2.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@www5.click2begin[1].txt -> TrackingCookie.Click2begin : Cleaned with backup (quarantined).
:mozilla.131:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned with backup (quarantined).
:mozilla.451:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ad1.clickhype[1].txt -> TrackingCookie.Clickhype : Cleaned with backup (quarantined).
:mozilla.135:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup (quarantined).
:mozilla.144:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup (quarantined).
:mozilla.12:C:\Documents and Settings\HP_Administrator\Application Data\Netscape\NSB\Profiles\ox2dnl7m.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned with backup (quarantined).
:mozilla.468:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Enhance : Cleaned with backup (quarantined).
:mozilla.80:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@adopt.euroclick[1].txt -> TrackingCookie.Euroclick : Cleaned with backup (quarantined).
:mozilla.100:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.101:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.102:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.106:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.107:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.109:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.99:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Falkag : Cleaned with backup (quarantined).
:mozilla.176:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Findwhat : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@ads.gamershell[2].txt -> TrackingCookie.Gamershell : Cleaned with backup (quarantined).
C:\Documents and Settings\HP_Administrator\Cookies\hp_administrator@gamershell[1].txt -> TrackingCookie.Gamershell : Cleaned with backup (quarantined).
:mozilla.469:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.470:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.7:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\8wmg7aku.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.8:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\8wmg7aku.default\cookies.txt -> TrackingCookie.Goclick : Cleaned with backup (quarantined).
:mozilla.580:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.581:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.582:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.583:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned with backup (quarantined).
:mozilla.201:C:\Documents and Settings\HP_Administrator\Application Data\Mozilla\Firefox\Profiles\0bzf1bgp.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned with backup (qu

#5 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:07 AM

Posted 08 September 2006 - 08:24 AM

Please post a new hijackthis log also

#6 Kittrell

Kittrell
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 September 2006 - 07:00 PM

Sorry, been working alot this weekend. Here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 6:58:48 PM, on 9/10/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5700.0006)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\arservice.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\d98dd1d2.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\PowerZip 7.0\PowerZip.exe
C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\PowerZip.tmp\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.redirect.hp.com/svs/rdr?TYPE=3&a...&pf=desktop
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pctoesb.exe
O2 - BHO: (no name) - {0257C40D-64FF-E5CF-DEAD-08C3ECB94D65} - C:\WINDOWS\system32\fypkqbk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsr66.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsy6.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
O4 - HKLM\..\Run: [d98dd1d2.exe] C:\WINDOWS\system32\d98dd1d2.exe
O4 - HKLM\..\Run: [oudxbsc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\oudxbsc.dll,hzxtqhe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [d98dd1d2.exe] C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\d98dd1d2.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar3.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar3.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar3.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar3.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar3.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar3.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_05\bin\npjpi150_05.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra 'Tools' menuitem: Connection Help - {E2D4D26B-0180-43a4-B05F-462D6D54C789} - C:\WINDOWS\PCHEALTH\HELPCTR\Vendors\CN=Hewlett-Packard,L=Cupertino,S=Ca,C=US\IEButton\support.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.sxload.com
O15 - Trusted Zone: http://*.trymedia.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5526B4C6-63D6-41A1-9783-0FABF529859A} - mk:@MSITStore:C:\DOCUME~1\HP_ADM~1\LOCALS~1\Temp\mma.chm::/joysavsht.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1157332979718
O16 - DPF: {F919FBD3-A96B-4679-AF26-F551439BB5FD} - http://systemdoctor.com/download/2006/cab/...FreeInstall.cab
O20 - Winlogon Notify: MCPClient - C:\PROGRA~1\COMMON~1\Stardock\mcpstub.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7 Kittrell

Kittrell
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 10 September 2006 - 07:01 PM

I did post the hijackthis log, also, but it would appear that the message got far too long for the forum, so it cut the message off.

#8 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:07 AM

Posted 11 September 2006 - 02:36 AM

Please download
Brute Force Uninstaller to your desktop. (rightclick
on this link and choose save as, if using IE save target as)
  • Right click the BFU folder on your desktop, and choose Extract
    All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and
    then click "Finish".
  • Download
    qoofix.bat (rightclick on this link and choose save
    as, if using IE save target as)
  • Place qoofix.bat in your C:\BFU - folder.
    (Important!)
  • Doubleclick qooFix.bat, Close all browsers and explorer folders.
  • Choose option 1 (Qoolfix autofix) and follow the prompts.
  • Please be patient, it will take about five minutes.
  • After the PC has restarted please post another hijackthis log.


#9 Kittrell

Kittrell
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 12 September 2006 - 01:49 AM

Well, qoofix.bat, when I double-clicked it, it flashed a dos prompt screen for a split-second and closed. No effect.

#10 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:07 AM

Posted 12 September 2006 - 02:26 AM

Have you placed qoofix.bat in your C:\BFU - folder ?

#11 Kittrell

Kittrell
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 12 September 2006 - 10:58 AM

Yes, it is sitting there within C:\BFU. Is it suppose to be 402 bytes in size?

#12 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:07 AM

Posted 12 September 2006 - 11:33 AM

Never mind that, let's try a different approach :


Please download Qoofix 1.02 from this page:
http://www.malwarebytes.org/qoofix.php

Unzip to a convenient location such as C:\Qoofix.
Navigate to the folder you unzipped the files to and double click on the file named Qoofix.exe.
Finally, select Begin Removal and the removal process will commence.
A reboot may be necessary if an infection is found.
Your log from this tool will be located at C:\Qoofix\Qoofix Logfile.txt
Copy and paste the contents of that report into your next reply here.

#13 Kittrell

Kittrell
  • Topic Starter

  • Members
  • 8 posts
  • OFFLINE
  •  
  • Local time:11:07 PM

Posted 21 September 2006 - 02:28 PM

Sorry it's been a long week. Couldn't get this until now.

Qoofix log:

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [9/12/2006] at [10:23:29 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [9/12/2006] at [10:24:01 PM]

Note: Some registry keys may have been removed.

#14 YounGun

YounGun

    The malware-fighting kid


  • Members
  • 244 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Romania, Bucharest
  • Local time:06:07 AM

Posted 22 September 2006 - 05:30 PM

okie, let's try a diferent approach :

Please move Hijackthis to a PERMANENT folder. (example c:\hijackthis). Do this before doing anything else.

Download and unzip Avenger to your desktop.

Start up Avenger.
Check the 'Input script manually' option.
Click the Magnifying Glass icon.
In the box that opens, copy,then paste all the text in the quote box below.

Files to delete:
C:\WINDOWS\kb913800.exe
C:\WINDOWS\system32\fypkqbk.dll
C:\WINDOWS\system32\nsr66.dll
C:\WINDOWS\system32\nsy6.dll
C:\WINDOWS\system32\comcap16.dll
C:\WINDOWS\system32\d98dd1d2.exe
C:\WINDOWS\system32\oudxbsc.dll
C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\d98dd1d2.exe
C:\WINDOWS\system32\cloudsim.exe


Then click on 'Done'.
Click the Traffic Light icon to start the program.
Then press OK at the prompts to reboot your PC.

Note: This script is for this topic only and should not be used for any other


Open hijackthis and check the following lines :

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,pctoesb.exe
O2 - BHO: (no name) - {0257C40D-64FF-E5CF-DEAD-08C3ECB94D65} - C:\WINDOWS\system32\fypkqbk.dll
O2 - BHO: SSL encrypt - {0B6899B6-1564-43e0-BD93-F7CF930A5E5C} - C:\WINDOWS\system32\nsr66.dll (file missing)
O2 - BHO: SSL encrypt - {746455FE-D059-47e7-AF0E-140E03F5A447} - C:\WINDOWS\system32\nsy6.dll (file missing)
O2 - BHO: ComCap - {E1B2E864-8BFC-4072-AE11-924E0F8BBA96} - C:\WINDOWS\system32\comcap16.dll (file missing)
O4 - HKLM\..\Run: [d98dd1d2.exe] C:\WINDOWS\system32\d98dd1d2.exe
O4 - HKLM\..\Run: [oudxbsc.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\oudxbsc.dll,hzxtqhe
O4 - HKLM\..\Run: [adstart] "iexplore.exe" "http://iesettingsupdate"
O4 - HKCU\..\Run: [d98dd1d2.exe] C:\Documents and Settings\HP_Administrator\Local Settings\Application Data\d98dd1d2.exe

Press Fix checked and reboot.

After the reboot run ewido and combofix again (in this order) and post the scan logs the avenger log and a new hijackthis log.

Edited by YounGun, 22 September 2006 - 05:32 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users