Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

So Much Problems


  • Please log in to reply
26 replies to this topic

#1 kim762

kim762

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 02 November 2006 - 09:02 PM

hello when i was on the internet a pop up came up labled mmov and it started to bring so much crap on my computer and now i really dont know what to do.I need help fast. this is my hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 5:46:57 PM, on 11/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Rwfpt Class - {0BDB22C0-BD18-4A40-9A9D-71F314BB75DB} - C:\WINDOWS\system32\lt5vsrs.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22-1.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\AUTOSE~1.DLL
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E5E2A3E7-00FE-4D31-A030-A10799DDCA66} - (no file)
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [defender] C:\\dfndrff_e46a.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdff_e46.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmff_e46.exe
O4 - HKLM\..\Run: [uuza0764] RUNDLL32.EXE w00c4c12.dll,n 006a075e0000000300c4c12
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\Duce6.exe
O4 - HKLM\..\Run: [win32071621756151] C:\WINDOWS\win32071621756151.exe
O4 - HKLM\..\Run: [startemdoit] C:\WINDOWS\eltonehour.exe
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKLM\..\Run: [sys025615116217] C:\WINDOWS\sys025615116217.exe
O4 - HKLM\..\Run: [win32086217561511] C:\WINDOWS\win32086217561511.exe
O4 - HKLM\..\Run: [drpXPd] "C:\WINDOWS\system32\rnnypbw.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [ms036151162175] C:\WINDOWS\ms036151162175.exe
O4 - HKLM\..\Run: [ms041511621756] C:\WINDOWS\ms041511621756.exe
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\HP_Owner\Internet Optimizer\optimize.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [WinMedia] C:\WINDOWS\loader1238343.exe
O4 - HKCU\..\Run: [Winstj] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winsts] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winstx] C:\WINDOWS\loader1239734.exe
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O4 - Global Startup: svchost.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\system32\lt5vsrs.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by illukka, 03 November 2006 - 01:56 AM.


BC AdBot (Login to Remove)

 


#2 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:21 PM

Posted 03 November 2006 - 11:19 AM

Hello there and welcome to Bleeping Computer's security forum.
My name is David, I will be helping you with your log today.

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Download LSPFix.exe to a convenient location. Do NOT run this program. This is only to be used if you lose Internet Access after removing NewDotNet.
To Get rid of NewDotNet, go to:
Start > Control Panel > Add or Remove Programs and remove the following:
New.Net Applications or New.Net Domains (anything that says New.Net)
If it is not there, go here and follow Procedure 4: NewDotNet Removal Procedure 4.

In the event that you lose Internet access after removing New.Net, please double-click LSPFix.exe that you downloaded earlier. You will see 2 panels. If there is any file listed in the "Remove" panel on the right-side, leave it as is and just click "Finish>>" then reboot your computer and you should now have access to the Internet. If nothing is listed under the "Remove Panel", do NOT do anything - just close the program. You will need to use another computer to come back here for further instructions on what to do.

Please download Combofix to your desktop.
Doubleclick combo.exe to launch the application.
Follow the prompts that will be displayed on the screen.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.

Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

Please post back with the 3 requested logs.
David

#3 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 November 2006 - 02:13 PM

HP_Owner - 06-11-04 11:02:59.01 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\HP_Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\HP_Owner\Application Data\Sskcwrd.dll
C:\Documents and Settings\HP_Owner\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Jamal\Application Data\Sskcwrd.dll
C:\Documents and Settings\Jamal\Application Data\Sskknwrd.dll
C:\Documents and Settings\Jamal\Application Data\Sskuknwrd.dll
C:\WINDOWS\system32\dxclib303562752.dll
C:\Documents and Settings\HP_Owner\Application Data\Dxcdmns.dll
C:\Documents and Settings\HP_Owner\Application Data\Dxcknwrd.dll
C:\Documents and Settings\HP_Owner\Application Data\Dxcuknwrd.dll
C:\WINDOWS\system32\bkd.exe
C:\Program Files\DeluxeCommunications\bak
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
C:\Program Files\data19
C:\Program Files\data19


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\dxclib303562752.dll
C:\Program Files\DeluxeCommunications\bak
C:\Program Files\DeluxeCommunications\Dxc.exe
C:\Program Files\DeluxeCommunications\DxcBho.dll
C:\Program Files\DeluxeCommunications\DxcCore.dll
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\Duce6.exe
C:\WINDOWS\teller2.chk
C:\dfndrff_e46a.exe
C:\drsmartload.exe
C:\drsmartload1.exe
C:\deskbar.exe
C:\deskbar_e45.exe
C:\deskbar_e46.exe
C:\kybrdff_e45.exe
C:\kybrdff_e46.exe
C:\MTE3NDI6ODoxNgMTE3NDI6ODoxNg.exe
C:\MTE3NDI6ODoxNgnew.exe
C:\nwnmff_e45.exe
C:\nwnmff_e46.exe
C:\Documents and Settings\HP_Owner\Application Data\Install.dat
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
C:\Program Files\TClock\tclock_install.exe
C:\Program Files\Common Files\inetget
C:\Program Files\Common Files\services.exe
C:\RDFX4.exe
C:\WINDOWS\dh.dll
C:\WINDOWS\dh.dll_
C:\WINDOWS\dh.ini
C:\WINDOWS\xpupdate.exe
C:\WINDOWS\Downloaded Program Files\MediaTicketsInstaller.ocx
C:\WINDOWS\system32\aaa00000.dll
C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\Program Files\Common Files\Yazzle1136OinAdmin.exe
C:\Program Files\Common Files\Yazzle1136OinUninstaller.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\Common Files\mc-110-12-0000140.exe
C:\WINDOWS\system32\w00c4c12.dll
C:\WINDOWS\system32\w00c936b.dll
C:\WINDOWS\system32\w00c9698.dll
C:\WINDOWS\system32\w00ca0f8.dll
C:\WINDOWS\system32\w00ca240.dll
C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\All Users\Documents\Settings
C:\Program Files\Common Files\inetget
C:\Program Files\Common Files\misc001
C:\Program Files\Common Files\simtest
C:\Program Files\Common Files\svchostsys
C:\Program Files\batty2
C:\Program Files\DNS
C:\Program Files\Inetget2
C:\Program Files\Ipwins
C:\Program Files\network monitor
C:\Program Files\outlook
C:\Program Files\snowball wars
C:\Program Files\System Files
C:\Program Files\System Icons
C:\Program Files\wincmapp
C:\Program Files\windows
C:\Program Files\winupdates
C:\Program Files\Common Files\{68ACBD7A-0B75-1033-0126-050916200001}
C:\WINDOWS\IA
C:\Program Files\Deskbar
C:\Program Files\Deskbar

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~2
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\PPATCH~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\SKS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~1\ntvdm.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~2\fast.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\FNTS~1\winlogon.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\MANTEC~1\javaw.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\SKS~1\chkdsk.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM3~1\scanregw.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM~1\rundll.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM~1\?ystem
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\MBOLS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\SSTEM3~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\STEM~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1\winlogon.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1\??crosoft
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1.NET\nslookup.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CURITY~1\attrib.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\FNTS~1\regedit.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\ICROSO~1.NET\nopdb.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\MBOLS~1\chkntfs.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\MBOLS~1\??mbols
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\RACLE~1\?racle
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\SSTEM3~1\rundll.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\STEM~1\mmc.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\STEM~1\??stem
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\WNSXS~1\ntvdm.exe
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\FNTS~2
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\STEM~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~2
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\logonui.exe
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1\msdtc.exe
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1\rundll.exe
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1\lsass.exe
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1\?ymantec
C:\QooBox\Purity\Program Files\CROSOF~1\CROSOF~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET\javaw.exe
C:\QooBox\Purity\Program Files\FNTS~2\FNTS~1
C:\QooBox\Purity\Program Files\FNTS~2\spool32.exe
C:\QooBox\Purity\Program Files\MBOLS~1\arpa.exe
C:\QooBox\Purity\Program Files\MBOLS~1\MBOLS~1
C:\QooBox\Purity\Program Files\WNSXS~1\W?nSxS
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\SSTEM~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\YMANTE~1
C:\QooBox\Purity\WINDOWS\APPATC~1\A?pPatch
C:\QooBox\Purity\WINDOWS\APPATC~1\nslookup.exe
C:\QooBox\Purity\WINDOWS\ECURIT~1\ECURIT~1
C:\QooBox\Purity\WINDOWS\ECURIT~1\ntvdm.exe
C:\QooBox\Purity\WINDOWS\FNTS~1\dllhost.exe
C:\QooBox\Purity\WINDOWS\FNTS~1\FNTS~1
C:\QooBox\Purity\WINDOWS\FNTS~1\javaw.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\mmc.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\SMANTE~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1\s?stem32
C:\QooBox\Purity\WINDOWS\SSTEM3~1\winword.exe
C:\QooBox\Purity\WINDOWS\SSTEM~1\alg.exe
C:\QooBox\Purity\WINDOWS\SSTEM~1\s?stem
C:\QooBox\Purity\WINDOWS\system32\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\APPATC~1\A?pPatch
C:\QooBox\Purity\WINDOWS\system32\APPATC~1\csrss.exe
C:\QooBox\Purity\WINDOWS\WNSXS~1\msdtc.exe
C:\QooBox\Purity\WINDOWS\YMANTE~1\ntvdm.exe
C:\QooBox\Purity\WINDOWS\YMANTE~1\?ymantec


((((((((((((((((((((((((((((((( Files Created from 2006-10-04 to 2006-11-04 ))))))))))))))))))))))))))))))))))


2006-11-02 17:22 29,696 --a------ C:\WINDOWS\system32\w01cb6f3.dll
2006-11-02 17:12 25,600 --a------ C:\WINDOWS\loader1239734.exe
2006-11-02 17:11 25,600 --a------ C:\WINDOWS\loader1238343.exe
2006-11-02 17:08 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22-1.exe
2006-11-02 17:07 25,600 --a------ C:\WINDOWS\ms041511621756.exe
2006-11-02 17:07 25,600 --a------ C:\WINDOWS\ms036151162175.exe
2006-11-02 17:07 163,840 --a------ C:\WINDOWS\win320862175615112006.exe
2006-11-02 17:07 163,840 --a------ C:\WINDOWS\sys0256151162172006.exe
2006-11-02 17:07 163,840 --a------ C:\WINDOWS\ms0361511621752006.exe
2006-11-02 17:06 96,768 --------- C:\WINDOWS\system32\dxclib303562752.dll
2006-11-02 17:06 28,672 --a------ C:\WINDOWS\system32\pgbr3p.exe
2006-11-02 17:06 204,800 --a------ C:\WINDOWS\system32\lt5vsrs.dll
2006-11-02 17:05 277,504 --a------ C:\WINDOWS\system32\durvil1.exe
2006-11-02 17:05 25,600 --a------ C:\WINDOWS\system32\rnnypbw.exe
2006-11-02 17:05 24,576 --a------ C:\WINDOWS\system32\t07grnpv.exe
2006-11-02 17:05 151,040 --a------ C:\WINDOWS\system32\durvil1.dll
2006-11-02 17:05 1,259 --a------ C:\WINDOWS\system32\uuza0764.sys
2006-11-02 17:04 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-02 17:04 61,952 --a------ C:\WINDOWS\system32\uuza0764.dll
2006-11-02 17:04 6,687 --a------ C:\WINDOWS\system32\ldcore.dll
2006-11-02 17:04 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38-1.exe
2006-11-02 17:04 28,672 --a------ C:\mc44a46.exe
2006-11-02 16:53 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-11-02 16:53 0 --a------ C:\WINDOWS\system32\taskkill.exe
2006-11-02 16:52 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-11-01 17:59 183,296 --a-s---- C:\WINDOWS\NDNuninstall7_22.exe
2006-11-01 17:58 434,176 --a------ C:\windows.exe
2006-11-01 17:56 25,600 --a------ C:\WINDOWS\win32071621756151.exe
2006-11-01 17:56 24,576 --a------ C:\mc44a45.exe
2006-11-01 17:56 163,840 --a------ C:\WINDOWS\sys1017561511622006.exe
2006-11-01 17:56 163,840 --a------ C:\WINDOWS\sys0175615116212006.exe
2006-11-01 17:54 9,767 --a------ C:\dollarrev.exe
2006-11-01 17:54 50,688 --a-s---- C:\WINDOWS\NDNuninstall6_38.exe
2006-11-01 17:54 25,600 --a------ C:\WINDOWS\eltonehour.exe
2006-11-01 17:54 178,306 --a------ C:\WINDOWS\ac3_0008.exe
2006-11-01 17:53 78,336 --a------ C:\WINDOWS\unwn.exe
2006-11-01 17:53 55,808 --a------ C:\WINDOWS\invqtjp.exe
2006-11-01 17:53 356,352 --a------ C:\162.exe
2006-11-01 17:53 2,560 --a------ C:\ac3_0003.exe
2006-11-01 17:52 45,056 --a------ C:\mpnaaq7.exe
2006-11-01 17:52 32,768 --a------ C:\DXC9.exe
2006-11-01 17:52 25,600 --a------ C:\WINDOWS\v1201.exe
2006-10-31 11:30 8,704 --a------ C:\WINDOWS\pvfUninstall.exe
2006-10-27 17:56 44,384 --ah----- C:\WINDOWS\gdggfuwff2tr8rt63fgrt.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-04 11:01 -------- d-------- C:\Program Files\Common Files
2006-11-04 11:00 -------- d-------- C:\Program Files\TClock
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\ps2.exe
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\hphmon06.exe
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\ctfmon.exe
2006-11-02 18:18 25600 --a------ C:\WINDOWS\sys025615116217.exe
2006-11-02 18:18 -------- d-------- C:\Program Files\Norton Internet Security
2006-11-02 18:18 -------- d-------- C:\Program Files\iTunes
2006-11-02 18:18 -------- d-------- C:\Program Files\DeluxeCommunications
2006-11-02 18:18 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-02 17:43 -------- d-------- C:\Program Files\Morpheus
2006-11-02 17:33 -------- d-a-s---- C:\Program Files\NewDotNet
2006-11-02 17:16 36608 --a------ C:\WINDOWS\nem220.dll
2006-11-02 17:10 32208 ---hs---- C:\Program Files\Common Files\Y1324OU.exe
2006-11-02 17:09 -------- d-------- C:\Program Files\Easy Internet signup
2006-11-02 17:08 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-02 17:08 -------- d-------- C:\Program Files\Internet Explorer
2006-11-02 17:07 -------- d-------- C:\Program Files\NetMeeting
2006-11-02 17:05 -------- d--h----- C:\Program Files\BHO Plugin
2006-11-02 16:54 -------- d---s---- C:\Documents and Settings\HP_Owner\Application Data\Microsoft
2006-11-02 16:54 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2006-11-02 16:54 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Real
2006-11-02 16:53 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Identities
2006-11-02 15:36 -------- d-------- C:\Program Files\Windows Media Player
2006-11-02 15:36 -------- d-------- C:\Program Files\Common Files\Services
2006-11-01 18:03 8006 --a------ C:\WINDOWS\comdlj32.dll
2006-11-01 17:59 -------- d-------- C:\Program Files\BraveSentry
2006-11-01 17:54 -------- d-------- C:\Program Files\PSCastor
2006-10-31 19:28 -------- d-------- C:\Program Files\Surf Sidekick
2006-10-31 19:27 -------- d-------- C:\Program Files\Ares
2006-10-31 19:27 -------- d-------- C:\Program Files\AIM
2006-10-19 22:31 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Google
2006-10-17 20:37 -------- d-------- C:\Program Files\Google
2006-10-17 18:09 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Morpheus
2006-10-16 19:57 -------- d-------- C:\Program Files\MorpheusBar
2006-10-15 16:16 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\acccore
2006-10-15 16:15 -------- d-------- C:\Program Files\Viewpoint
2006-10-15 16:15 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-15 16:15 -------- d-------- C:\Program Files\AOL
2006-10-15 16:15 -------- d-------- C:\Program Files\AOD
2006-10-15 16:14 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-15 15:53 -------- d-------- C:\Program Files\LimeWire
2006-10-15 15:46 -------- d-------- C:\Program Files\GreatMemo
2006-10-15 15:41 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\GreatMemo
2006-10-15 15:40 -------- d-------- C:\Program Files\WebSearch Toolbar
2006-10-15 15:37 -------- d-------- C:\Program Files\whInstall
2006-10-07 07:03 -------- d-------- C:\Program Files\Weather
2006-10-07 07:02 -------- d-------- C:\Program Files\VBouncer
2006-10-07 07:00 -------- d-------- C:\Program Files\Common Files\wwur
2006-09-22 10:23 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Aim
2006-09-22 06:38 53248 --a------ C:\WINDOWS\109uninst.exe
2006-09-22 06:36 53248 --a------ C:\WINDOWS\uni_7eh.exe
2006-09-11 19:50 3102 --a------ C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2006-09-10 18:20 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-10 17:40 -------- d-------- C:\Program Files\MySearch
2006-09-08 17:07 -------- d-------- C:\Program Files\ReflexiveArcade
2006-09-08 16:53 -------- d-------- C:\Program Files\NaviSearch
2006-09-08 16:15 -------- d-------- C:\Program Files\SpyWareWall
2006-09-07 18:04 -------- d-------- C:\Program Files\SelectRebates
2006-09-05 18:12 63232 --a------ C:\WINDOWS\wsem303.dll
2006-09-05 18:12 -------- d-------- C:\Program Files\Dbrhu
2006-09-01 09:15 0 --a------ C:\myPcsearch.exe
2006-08-06 10:33 0 --a------ C:\Documents and Settings\HP_Owner\Application Data\internaldb6334.dat
2006-08-06 10:25 57344 --a------ C:\WINDOWS\cs2m6f.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Winstj"="C:\\WINDOWS\\loader1239734.exe"
"Winsts"="C:\\WINDOWS\\loader1239734.exe"
"Winstx"="C:\\WINDOWS\\loader1239734.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="c:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"SSC_UserPrompt"="c:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"_SetRes"="c:\\hp\\bin\\cloaker c:\\hp\\bin\\res.bat"
"IcoSet"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\IcoSet\\adjust.bat seticon"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"uuza0764"="RUNDLL32.EXE w00c4c12.dll,n 006a075e0000000300c4c12"
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"
"win32071621756151"="C:\\WINDOWS\\win32071621756151.exe"
"startemdoit"="C:\\WINDOWS\\eltonehour.exe"
"sys025615116217"="C:\\WINDOWS\\sys025615116217.exe"
"win32086217561511"="C:\\WINDOWS\\win32086217561511.exe"
"drpXPd"="\"C:\\WINDOWS\\system32\\rnnypbw.exe\""
"ACTX1"="C:\\WINDOWS\\v1201.exe"
"ms036151162175"="C:\\WINDOWS\\ms036151162175.exe"
"ms041511621756"="C:\\WINDOWS\\ms041511621756.exe"
"thirdintel"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\intel_tweak\\intel_tweak3.cmd"
"Internet Optimizer"="\"C:\\Documents and Settings\\HP_Owner\\Internet Optimizer\\optimize.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\microsoft frontpage\\pomoho.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Internet Explorer\\mekefeby.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-04 11:05:57.27
C:\ComboFix.txt ... 06-11-04 11:05
C:\ComboFix2.txt ... 06-11-04 10:58


Adobe Acrobat - Reader 6.0.2 Update
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
BHO
Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
CC_ccProxyExt
ccCommon
ccPxyCore
Crystal Maze from Hewlett-Packard Desktops (remove only)
DeluxeCommunications
Easy Internet Sign-up
Elinks
Help and Support Additions
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZplus450
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
Internet Optimizer
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
MediaTickets by OIN
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
MSRedist
muvee autoProducer 3.5 magicMoments - HPD
New.net Domains 7.22
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Norton WMI Update
Orbital from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
PC-Doctor for Windows
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polar Golfer from Hewlett-Packard Desktops (remove only)
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Road Ready Streetwise from Hewlett-Packard Desktops (remove only)
Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only)
Sonic Express Labeler
Sonic RecordNow!
SPBBC
SpySubtract
Super Granny from Hewlett-Packard Desktops (remove only)
SymNet
Tradewinds from Hewlett-Packard Desktops (remove only)
Updates from HP
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175
Yazzle by OIN

#4 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 November 2006 - 02:15 PM

Logfile of HijackThis v1.99.1
Scan saved at 11:12:09 AM, on 11/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\wdfmgr.exe
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Rwfpt Class - {0BDB22C0-BD18-4A40-9A9D-71F314BB75DB} - C:\WINDOWS\system32\lt5vsrs.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22-1.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\AUTOSE~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [uuza0764] RUNDLL32.EXE w00c4c12.dll,n 006a075e0000000300c4c12
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [win32071621756151] C:\WINDOWS\win32071621756151.exe
O4 - HKLM\..\Run: [startemdoit] C:\WINDOWS\eltonehour.exe
O4 - HKLM\..\Run: [sys025615116217] C:\WINDOWS\sys025615116217.exe
O4 - HKLM\..\Run: [win32086217561511] C:\WINDOWS\win32086217561511.exe
O4 - HKLM\..\Run: [drpXPd] "C:\WINDOWS\system32\rnnypbw.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [ms036151162175] C:\WINDOWS\ms036151162175.exe
O4 - HKLM\..\Run: [ms041511621756] C:\WINDOWS\ms041511621756.exe
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\HP_Owner\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Winstj] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winsts] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winstx] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\system32\lt5vsrs.dll
O20 - AppInit_DLLs: dxclib303562752.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#5 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:21 PM

Posted 04 November 2006 - 03:16 PM

Hello there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

I'm a bit concerned about a few files which seem to be legitimate.
However they seem to have been created when all this malware flooded your PC.
There is an infection which replaces legitmate files with malware versions.
I want to take a sample of a file and also another questionable file I've seen.

Please set your system to show all files.
Click Start, open My Computer, select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and run it.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\pvfUninstall.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\system32\hkcmd.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.
Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Click on start, then control panel, and then double-click on add/remove programs.
From within add/remove program uninstall the following if they exist by double-clicking on the following entries:

DeluxeCommunications
Internet Optimizer
MediaTickets by OIN
New.net Domains 7.22
Yazzle by OIN


Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following if still present:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: Rwfpt Class - {0BDB22C0-BD18-4A40-9A9D-71F314BB75DB} - C:\WINDOWS\system32\lt5vsrs.dll
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll
O2 - BHO: URLLink - {4A2AACF3-ADF6-11D5-98A9-00E018981B9E} - C:\Program Files\NewDotNet\newdotnet7_22-1.dll
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\AUTOSE~1.DLL
O4 - HKLM\..\Run: [uuza0764] RUNDLL32.EXE w00c4c12.dll,n 006a075e0000000300c4c12
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [win32071621756151] C:\WINDOWS\win32071621756151.exe
O4 - HKLM\..\Run: [startemdoit] C:\WINDOWS\eltonehour.exe
O4 - HKLM\..\Run: [sys025615116217] C:\WINDOWS\sys025615116217.exe
O4 - HKLM\..\Run: [win32086217561511] C:\WINDOWS\win32086217561511.exe
O4 - HKLM\..\Run: [drpXPd] "C:\WINDOWS\system32\rnnypbw.exe"
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [ms036151162175] C:\WINDOWS\ms036151162175.exe
O4 - HKLM\..\Run: [ms041511621756] C:\WINDOWS\ms041511621756.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\HP_Owner\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - HKCU\..\Run: [Winstj] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winsts] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winstx] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\system32\lt5vsrs.dll
O20 - AppInit_DLLs: dxclib303562752.dll


Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Download KillBox from the following link :
http://www.bleepingcomputer.com/files/killbox.php
Unzip the folder to your desktop.

Start Killbox.exe
Select the "Delete on Reboot" option.
Click on the "All Files" button (!important!),which will then flash green.
Copy the complete text in bold below to the clipboard by highlighting the filepaths and pressing Control + C:

C:\WINDOWS\v1201.exe
C:\WINDOWS\system32\rnnypbw.exe
C:\WINDOWS\win32071621756151.exe
C:\WINDOWS\system32\w00c4c12.dll
C:\WINDOWS\system32\w01cb6f3.dll
C:\WINDOWS\loader1239734.exe
C:\WINDOWS\loader1238343.exe
C:\WINDOWS\NDNuninstall7_22-1.exe
C:\WINDOWS\ms041511621756.exe
C:\WINDOWS\ms036151162175.exe
C:\WINDOWS\win320862175615112006.exe
C:\WINDOWS\sys0256151162172006.exe
C:\WINDOWS\ms0361511621752006.exe
C:\WINDOWS\system32\dxclib303562752.dll
C:\WINDOWS\system32\pgbr3p.exe
C:\WINDOWS\system32\lt5vsrs.dll
C:\WINDOWS\system32\durvil1.exe
C:\WINDOWS\system32\rnnypbw.exe
C:\WINDOWS\system32\t07grnpv.exe
C:\WINDOWS\system32\durvil1.dll
C:\WINDOWS\system32\uuza0764.sys
C:\WINDOWS\system32\sporder.dll
C:\WINDOWS\system32\uuza0764.dll
C:\WINDOWS\system32\ldcore.dll
C:\WINDOWS\NDNuninstall6_38-1.exe
C:\mc44a46.exe
C:\WINDOWS\NDNuninstall7_22.exe
C:\windows.exe
C:\WINDOWS\win32071621756151.exe
C:\mc44a45.exe
C:\WINDOWS\sys1017561511622006.exe
C:\WINDOWS\sys0175615116212006.exe
C:\dollarrev.exe
C:\WINDOWS\NDNuninstall6_38.exe
C:\WINDOWS\eltonehour.exe
C:\WINDOWS\ac3_0008.exe
C:\WINDOWS\unwn.exe
C:\WINDOWS\invqtjp.exe
C:\162.exe
C:\ac3_0003.exe
C:\mpnaaq7.exe
C:\DXC9.exe
C:\WINDOWS\v1201.exe
C:\WINDOWS\gdggfuwff2tr8rt63fgrt.exe
C:\WINDOWS\sys025615116217.exe
C:\WINDOWS\nem220.dll
C:\Program Files\Common Files\Y1324OU.exe
C:\WINDOWS\comdlj32.dll
C:\WINDOWS\109uninst.exe
C:\WINDOWS\uni_7eh.exe
C:\WINDOWS\wsem303.dll
C:\WINDOWS\loader1239734.exe
C:\myPcsearch.exe
C:\WINDOWS\cs2m6f.exe
C:\WINDOWS\loader1239734.exe
C:\Program Files\microsoft frontpage\pomoho.html
C:\Program Files\Internet Explorer\mekefeby.html


Open 'file' in the killboxmenu on top and choose Paste from clipboard
You must use the file File menu--pasting by right-clicking the mouse will only enter one file.
Then press the button that looks like a red circle with a white X in it.
Killbox will tell you that all listed files will be removed on next reboot and asks if you would like to Reboot now, click "yes".
Click OK at any Pending File Rename Operations prompt, let me know if there appear.
If you don't get that message, reboot manually.
Your computer should reboot now.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Please find and delete the following folders manually:

C:\Program Files\Dbrhu
C:\Program Files\MySearch
C:\Program Files\ReflexiveArcade
C:\Program Files\NaviSearch
C:\Program Files\SpyWareWall
C:\Program Files\SelectRebates
C:\Program Files\BraveSentry
C:\Program Files\PSCastor
C:\Program Files\Surf Sidekick
C:\Program Files\Viewpoint
C:\Program Files\WebSearch Toolbar
C:\Program Files\whInstall
C:\Program Files\Weather
C:\Program Files\VBouncer
C:\Program Files\Common Files\wwur
C:\Program Files\BHO Plugin
C:\Program Files\DeluxeCommunications
C:\Program Files\NewDotNet

Please open notepad and and copy and paste next bold in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]

Save this as "fix.reg" Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.

Please reboot and post a new Hijackthis log and combofix log.
David

Edited by D-Trojanator, 04 November 2006 - 03:29 PM.


#6 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 November 2006 - 03:28 PM

Logfile of HijackThis v1.99.1
Scan saved at 12:25:41 PM, on 11/4/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\Explorer.EXE
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R3 - URLSearchHook: (no name) - _{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll (file missing)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Rwfpt Class - {0BDB22C0-BD18-4A40-9A9D-71F314BB75DB} - C:\WINDOWS\system32\lt5vsrs.dll (file missing)
O2 - BHO: (no name) - {40A2988E-C954-4DDE-BD08-453191805BB9} - C:\WINDOWS\system32\durvil1.dll (file missing)
O2 - BHO: AutoSearch - {A55581DC-2CDB-4089-8878-71A080B22342} - C:\DOCUME~1\ALLUSE~1\APPLIC~1\AUTOSE~1.DLL
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [_SetRes] c:\hp\bin\cloaker c:\hp\bin\res.bat
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [uuza0764] RUNDLL32.EXE w00c4c12.dll,n 006a075e0000000300c4c12
O4 - HKLM\..\Run: [win32071621756151] C:\WINDOWS\win32071621756151.exe
O4 - HKLM\..\Run: [startemdoit] C:\WINDOWS\eltonehour.exe
O4 - HKLM\..\Run: [sys025615116217] C:\WINDOWS\sys025615116217.exe
O4 - HKLM\..\Run: [win32086217561511] C:\WINDOWS\win32086217561511.exe
O4 - HKLM\..\Run: [ms036151162175] C:\WINDOWS\ms036151162175.exe
O4 - HKLM\..\Run: [ms041511621756] C:\WINDOWS\ms041511621756.exe
O4 - HKLM\..\Run: [thirdintel] c:\hp\bin\cloaker.exe c:\hp\bin\intel_tweak\intel_tweak3.cmd
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Documents and Settings\HP_Owner\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Winstj] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winsts] C:\WINDOWS\loader1239734.exe
O4 - HKCU\..\Run: [Winstx] C:\WINDOWS\loader1239734.exe
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\system32\lt5vsrs.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#7 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 November 2006 - 03:35 PM

HP_Owner - 06-11-04 12:26:47.89 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\HP_Owner\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\HP_Owner\Application Data\Dxccwrd.dll
C:\Documents and Settings\HP_Owner\Application Data\Dxcknwrd.dll
C:\Documents and Settings\HP_Owner\Application Data\Dxcuknwrd.dll
C:\Program Files\DeluxeCommunications\bak


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\Program Files\DeluxeCommunications\bak
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~2
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\MANTEC~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\PPATCH~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\SKS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\WNSXS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM3~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~1\ntvdm.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\CROSOF~2\fast.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\FNTS~1\winlogon.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\MANTEC~1\javaw.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\SKS~1\chkdsk.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM3~1\scanregw.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM~1\rundll.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\Application Data\YSTEM~1\?ystem
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CURITY~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\FNTS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\ICROSO~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\ICROSO~1.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\MBOLS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\SSTEM3~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\STEM~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\WNSXS~1
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1\winlogon.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1\??crosoft
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1.NET\nslookup.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CROSOF~1.NET\??crosoft.NET
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\CURITY~1\attrib.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\FNTS~1\regedit.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\ICROSO~1.NET\nopdb.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\MBOLS~1\chkntfs.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\MBOLS~1\??mbols
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\RACLE~1\?racle
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\SSTEM3~1\rundll.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\STEM~1\mmc.exe
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\STEM~1\??stem
C:\QooBox\Purity\Documents and Settings\HP_Owner\My Documents\WNSXS~1\ntvdm.exe
C:\QooBox\Purity\Program Files\CROSOF~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET
C:\QooBox\Purity\Program Files\FNTS~1
C:\QooBox\Purity\Program Files\FNTS~2
C:\QooBox\Purity\Program Files\MBOLS~1
C:\QooBox\Purity\Program Files\RACLE~1
C:\QooBox\Purity\Program Files\STEM~1
C:\QooBox\Purity\Program Files\WNSXS~1
C:\QooBox\Purity\Program Files\Common Files\ECURIT~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~2
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1
C:\QooBox\Purity\Program Files\Common Files\MCROSO~1
C:\QooBox\Purity\Program Files\Common Files\SMANTE~1
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\FNTS~1
C:\QooBox\Purity\Program Files\Common Files\FNTS~1\logonui.exe
C:\QooBox\Purity\Program Files\Common Files\MANTEC~1\msdtc.exe
C:\QooBox\Purity\Program Files\Common Files\SSTEM~1\rundll.exe
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1\lsass.exe
C:\QooBox\Purity\Program Files\Common Files\YMANTE~1\?ymantec
C:\QooBox\Purity\Program Files\CROSOF~1\CROSOF~1
C:\QooBox\Purity\Program Files\CROSOF~1.NET\javaw.exe
C:\QooBox\Purity\Program Files\FNTS~2\FNTS~1
C:\QooBox\Purity\Program Files\FNTS~2\spool32.exe
C:\QooBox\Purity\Program Files\MBOLS~1\arpa.exe
C:\QooBox\Purity\Program Files\MBOLS~1\MBOLS~1
C:\QooBox\Purity\Program Files\WNSXS~1\W?nSxS
C:\QooBox\Purity\WINDOWS\APPATC~1
C:\QooBox\Purity\WINDOWS\ECURIT~1
C:\QooBox\Purity\WINDOWS\FNTS~1
C:\QooBox\Purity\WINDOWS\SMANTE~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1
C:\QooBox\Purity\WINDOWS\SSTEM~1
C:\QooBox\Purity\WINDOWS\WNSXS~1
C:\QooBox\Purity\WINDOWS\YMANTE~1
C:\QooBox\Purity\WINDOWS\APPATC~1\A?pPatch
C:\QooBox\Purity\WINDOWS\APPATC~1\nslookup.exe
C:\QooBox\Purity\WINDOWS\ECURIT~1\ECURIT~1
C:\QooBox\Purity\WINDOWS\ECURIT~1\ntvdm.exe
C:\QooBox\Purity\WINDOWS\FNTS~1\dllhost.exe
C:\QooBox\Purity\WINDOWS\FNTS~1\FNTS~1
C:\QooBox\Purity\WINDOWS\FNTS~1\javaw.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\mmc.exe
C:\QooBox\Purity\WINDOWS\SMANTE~1\SMANTE~1
C:\QooBox\Purity\WINDOWS\SSTEM3~1\s?stem32
C:\QooBox\Purity\WINDOWS\SSTEM3~1\winword.exe
C:\QooBox\Purity\WINDOWS\SSTEM~1\alg.exe
C:\QooBox\Purity\WINDOWS\SSTEM~1\s?stem
C:\QooBox\Purity\WINDOWS\system32\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\APPATC~1\A?pPatch
C:\QooBox\Purity\WINDOWS\system32\APPATC~1\csrss.exe
C:\QooBox\Purity\WINDOWS\WNSXS~1\msdtc.exe
C:\QooBox\Purity\WINDOWS\YMANTE~1\ntvdm.exe
C:\QooBox\Purity\WINDOWS\YMANTE~1\?ymantec


((((((((((((((((((((((((((((((( Files Created from 2006-10-04 to 2006-11-04 ))))))))))))))))))))))))))))))))))


2006-11-04 12:21 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2006-11-02 17:08 183,296 --------- C:\WINDOWS\NDNuninstall7_22-1.exe
2006-11-02 16:53 163,840 --a------ C:\WINDOWS\system32\igfxres.dll
2006-11-02 16:53 0 --a------ C:\WINDOWS\system32\taskkill.exe
2006-11-02 16:52 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2006-10-31 11:30 8,704 --a------ C:\WINDOWS\pvfUninstall.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-04 12:20 -------- d-------- C:\Program Files\microsoft frontpage
2006-11-04 12:20 -------- d-------- C:\Program Files\Internet Explorer
2006-11-04 12:05 -------- d-------- C:\Program Files\DeluxeCommunications
2006-11-04 11:43 -------- d-------- C:\Program Files\NewDotNet
2006-11-04 11:41 -------- d-------- C:\Program Files\Common Files
2006-11-04 11:32 -------- d-------- C:\Program Files\Morpheus
2006-11-04 11:00 -------- d-------- C:\Program Files\TClock
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\ps2.exe
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\hphmon06.exe
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\hkcmd.exe
2006-11-02 18:18 25600 --a------ C:\WINDOWS\system32\ctfmon.exe
2006-11-02 18:18 -------- d-------- C:\Program Files\Norton Internet Security
2006-11-02 18:18 -------- d-------- C:\Program Files\iTunes
2006-11-02 18:18 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-11-02 17:09 -------- d-------- C:\Program Files\Easy Internet signup
2006-11-02 17:07 -------- d-------- C:\Program Files\NetMeeting
2006-11-02 16:54 -------- d---s---- C:\Documents and Settings\HP_Owner\Application Data\Microsoft
2006-11-02 16:54 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Symantec
2006-11-02 16:54 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Real
2006-11-02 16:53 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Identities
2006-11-02 15:36 -------- d-------- C:\Program Files\Windows Media Player
2006-11-02 15:36 -------- d-------- C:\Program Files\Common Files\Services
2006-10-31 19:27 -------- d-------- C:\Program Files\Ares
2006-10-31 19:27 -------- d-------- C:\Program Files\AIM
2006-10-19 22:31 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Google
2006-10-17 20:37 -------- d-------- C:\Program Files\Google
2006-10-17 18:09 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Morpheus
2006-10-16 19:57 -------- d-------- C:\Program Files\MorpheusBar
2006-10-15 16:16 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\acccore
2006-10-15 16:15 -------- d-------- C:\Program Files\Viewpoint
2006-10-15 16:15 -------- d-------- C:\Program Files\Common Files\AOL
2006-10-15 16:15 -------- d-------- C:\Program Files\AOL
2006-10-15 16:15 -------- d-------- C:\Program Files\AOD
2006-10-15 16:14 -------- d-------- C:\Program Files\Common Files\aolshare
2006-10-15 15:53 -------- d-------- C:\Program Files\LimeWire
2006-10-15 15:46 -------- d-------- C:\Program Files\GreatMemo
2006-10-15 15:41 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\GreatMemo
2006-10-07 07:00 -------- d-------- C:\Program Files\Common Files\wwur
2006-09-22 10:23 -------- d-------- C:\Documents and Settings\HP_Owner\Application Data\Aim
2006-09-11 19:50 3102 --a------ C:\Documents and Settings\HP_Owner\Application Data\wklnhst.dat
2006-09-10 18:20 -------- d-------- C:\Program Files\Mozilla Firefox
2006-09-07 18:04 -------- d-------- C:\Program Files\SelectRebates
2006-09-05 18:12 -------- d-------- C:\Program Files\Dbrhu
2006-08-06 10:33 0 --a------ C:\Documents and Settings\HP_Owner\Application Data\internaldb6334.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Winstj"="C:\\WINDOWS\\loader1239734.exe"
"Winsts"="C:\\WINDOWS\\loader1239734.exe"
"Winstx"="C:\\WINDOWS\\loader1239734.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="C:\\Program Files\\Java\\j2re1.4.2_03\\bin\\jusched.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"HPHUPD06"="c:\\Program Files\\HP\\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\\hphupd06.exe"
"HPHmon06"="C:\\WINDOWS\\system32\\hphmon06.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"iTunesHelper"="C:\\Program Files\\iTunes\\iTunesHelper.exe"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"ccApp"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"IS CfgWiz"="c:\\Program Files\\Norton Internet Security\\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE \"REBOOT\""
"SSC_UserPrompt"="c:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"AlcxMonitor"="ALCXMNTR.EXE"
"_SetRes"="c:\\hp\\bin\\cloaker c:\\hp\\bin\\res.bat"
"IcoSet"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\IcoSet\\adjust.bat seticon"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"LSBWatcher"="c:\\hp\\drivers\\hplsbwatcher\\lsburnwatcher.exe"
"Reminder"="\"C:\\Windows\\Creator\\Remind_XP.exe\""
"uuza0764"="RUNDLL32.EXE w00c4c12.dll,n 006a075e0000000300c4c12"
"win32071621756151"="C:\\WINDOWS\\win32071621756151.exe"
"startemdoit"="C:\\WINDOWS\\eltonehour.exe"
"sys025615116217"="C:\\WINDOWS\\sys025615116217.exe"
"win32086217561511"="C:\\WINDOWS\\win32086217561511.exe"
"ms036151162175"="C:\\WINDOWS\\ms036151162175.exe"
"ms041511621756"="C:\\WINDOWS\\ms041511621756.exe"
"thirdintel"="c:\\hp\\bin\\cloaker.exe c:\\hp\\bin\\intel_tweak\\intel_tweak3.cmd"
"Internet Optimizer"="\"C:\\Documents and Settings\\HP_Owner\\Internet Optimizer\\optimize.exe\""
"New.net Startup"="rundll32 C:\\PROGRA~1\\NEWDOT~1\\NEWDOT~2.DLL,ClientStartup -s"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{FA010552-4A27-4cb1-A1BB-3E2D697F1639}"="SpySubtract Shell Extension"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Easy Internet Sign-up.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - HP_Owner.job
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: 06-11-04 12:31:59.18
C:\ComboFix.txt ... 06-11-04 12:31
C:\ComboFix2.txt ... 06-11-04 11:05
C:\ComboFix3.txt ... 06-11-04 10:58

#8 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:21 PM

Posted 04 November 2006 - 03:53 PM

Edit -- Thanks recieved the files.
Please download the following file to your desktop:
http://noahdfear.geekstogo.com/FindAWF.exe

Run the file and copy and paste the output text here.

#9 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 November 2006 - 04:08 PM

Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\!KillBox\loader1238343.exe"
25600 "C:\!KillBox\loader1239734.exe"
25600 "C:\!KillBox\ms036151162175.exe"
25600 "C:\!KillBox\ms041511621756.exe"
25600 "C:\!KillBox\sys025615116217.exe"
25600 "C:\!KillBox\win32071621756151.exe"
25600 "C:\hp\KBD\KBD.EXE"
25600 "C:\Program Files\AIM\aim.exe"
25600 "C:\Program Files\Ares\Ares.exe"
25600 "C:\Program Files\iTunes\iTunesHelper.exe"
25600 "C:\Program Files\Norton Internet Security\cfgwiz.exe"
25600 "C:\WINDOWS\CREATOR\Remind_XP.exe"
25600 "C:\WINDOWS\SMINST\RECGUARD.EXE"
25600 "C:\WINDOWS\system\hpsysdrv.exe"
25600 "C:\WINDOWS\system32\ctfmon.exe"
25600 "C:\WINDOWS\system32\hkcmd.exe"
25600 "C:\WINDOWS\system32\hphmon06.exe"
25600 "C:\WINDOWS\system32\ps2.exe"
25600 "C:\Documents and Settings\HP_Owner\Internet Optimizer\optimize.exe"
25600 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
25600 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
25600 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
25600 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
25600 "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe"
25600 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
25600 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
25600 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
25600 "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp"
25600 "C:\Program Files\Common Files\AOL\1160957683\ee\AOLSoftware.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~

C:\Program Files\AIM\aim.exe
C:\Program Files\Ares\Ares.exe
C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe
C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe
C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp
C:\Program Files\Common Files\AOL\1160957683\ee\AOLSoftware.exe


26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\BAK

11/02/2006 05:04 PM 430,080 dfndrff_e46a.exe
11/02/2006 05:04 PM 372,736 kybrdff_e46.exe
11/02/2006 05:04 PM 368,640 nwnmff_e46.exe
3 File(s) 1,171,456 bytes

Directory of C:\WINDOWS\BAK

11/01/2006 05:58 PM 106,496 Duce6.exe
11/01/2006 05:54 PM 65,536 eltonehour.exe
11/02/2006 05:12 PM 16,384 loader1239734.exe
11/02/2006 05:07 PM 163,840 ms036151162175.exe
11/02/2006 05:07 PM 163,840 ms041511621756.exe
09/22/2006 06:34 AM 163,840 sys025615116217.exe
11/01/2006 05:52 PM 110,592 v1201.exe
11/01/2006 05:56 PM 163,840 win32071621756151.exe
11/01/2006 05:58 PM 18,369 xpupdate.exe
9 File(s) 972,737 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 06:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\ARES\BAK

11/22/2005 06:29 PM 1,219,584 Ares.exe
1 File(s) 1,219,584 bytes

Directory of C:\PROGRA~1\DELUXE~1\BAK


Directory of C:\PROGRA~1\ITUNES\BAK

10/13/2004 11:04 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

08/17/2004 09:36 PM 132,248 cfgwiz.exe
1 File(s) 132,248 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 01:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 07:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 03:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 10:00 AM 15,360 ctfmon.exe
11/02/2004 02:59 PM 126,976 hkcmd.exe
06/07/2004 05:42 PM 659,456 hphmon06.exe
10/25/2004 08:17 PM 90,112 ps2.exe
10/30/2006 10:00 AM 1,138,688 rnnypbw.exe
5 File(s) 2,030,592 bytes

Directory of C:\DOCUME~1\HP_OWNER\INTERN~1\BAK

09/01/2006 01:52 PM 53,120 optimize.exe
1 File(s) 53,120 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 08:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

08/27/2004 10:22 PM 58,488 ccApp.exe
1 File(s) 58,488 bytes

Directory of C:\PROGRA~1\COMMON~1\WWUR\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

06/07/2004 05:53 PM 49,152 hphupd06.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 08:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\LAUNCH\BAK

05/09/2006 04:24 PM 50,760 AOLLaunch.exe
1 File(s) 50,760 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

02/15/2005 01:02 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

08/05/2004 04:23 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

02/15/2005 12:37 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK

08/04/2004 10:00 AM 158,208 MSConfig.exe
1 File(s) 158,208 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\116095~1\EE\BAK

05/09/2006 04:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

430080 Nov 2 2006 "C:\bak\dfndrff_e46a.exe"
372736 Nov 2 2006 "C:\bak\kybrdff_e46.exe"
368640 Nov 2 2006 "C:\bak\nwnmff_e46.exe"
106496 Nov 1 2006 "C:\WINDOWS\bak\Duce6.exe"
65536 Nov 1 2006 "C:\WINDOWS\bak\eltonehour.exe"
65536 Nov 1 2006 "C:\Documents and Settings\NetworkService\Local Settings\Temp\Temporary Internet Files\Content.IE5\GTERSLMV\eltonehour[1].exe"
25600 Nov 2 2006 "C:\!KillBox\loader1238343.exe"
3072 Nov 2 2006 "C:\WINDOWS\bak\loader1238343.exe"
25600 Nov 2 2006 "C:\!KillBox\loader1239734.exe"
16384 Nov 2 2006 "C:\WINDOWS\bak\loader1239734.exe"
25600 Nov 2 2006 "C:\!KillBox\ms036151162175.exe"
163840 Nov 2 2006 "C:\bintheredunthat\ms0361511621752006.exe"
163840 Nov 2 2006 "C:\WINDOWS\bak\ms036151162175.exe"
25600 Nov 2 2006 "C:\!KillBox\ms041511621756.exe"
163840 Nov 2 2006 "C:\WINDOWS\bak\ms041511621756.exe"
25600 Nov 2 2006 "C:\!KillBox\sys025615116217.exe"
163840 Nov 2 2006 "C:\bintheredunthat\sys0256151162172006.exe"
163840 Sep 22 2006 "C:\WINDOWS\bak\sys025615116217.exe"
110592 Nov 1 2006 "C:\WINDOWS\bak\v1201.exe"
163840 Nov 2 2006 "C:\!KillBox\win320862175615112006.exe"
163840 Nov 1 2006 "C:\WINDOWS\bak\win32071621756151.exe"
18369 Nov 1 2006 "C:\WINDOWS\bak\xpupdate.exe"
25600 Nov 2 2006 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
25600 Oct 31 2006 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
25600 Oct 31 2006 "C:\Program Files\Ares\Ares.exe"
1219584 Nov 22 2005 "C:\Program Files\Ares\bak\Ares.exe"
25600 Nov 2 2006 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 13 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\_\iTunes 5.0.0.35.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\Shared\_\iTunes for Windows 4.2.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\Shared\_\ITunes iSync v2.1.6.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\My Documents\Morpheus Shared\_\ITunes iSync v2.1.6.exe"
25600 Nov 2 2006 "C:\Program Files\Norton Internet Security\cfgwiz.exe"
132248 Aug 17 2004 "C:\Program Files\Norton Internet Security\bak\cfgwiz.exe"
132248 Aug 17 2004 "C:\Program Files\Norton Internet Security\Norton AntiVirus\CfgWiz.exe"
25600 Nov 2 2006 "C:\WINDOWS\CREATOR\Remind_XP.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\Shared\_\Remind 5.54.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\Shared\_\Reminder v2.11d.exe"
25600 Nov 2 2006 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
25600 Nov 2 2006 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
25600 Nov 2 2006 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
25600 Nov 2 2006 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
25600 Nov 2 2006 "C:\WINDOWS\system32\hphmon06.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
25600 Nov 2 2006 "C:\WINDOWS\system32\ps2.exe"
90112 Oct 25 2004 "C:\hp\drivers\keyboard\PS2.EXE"
90112 Oct 25 2004 "C:\WINDOWS\system32\bak\ps2.exe"
1138688 Oct 30 2006 "C:\WINDOWS\system32\bak\rnnypbw.exe"
25600 Nov 2 2006 "C:\Documents and Settings\HP_Owner\Internet Optimizer\optimize.exe"
53120 Sep 1 2006 "C:\Documents and Settings\HP_Owner\Internet Optimizer\bak\optimize.exe"
25600 Nov 2 2006 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
25600 Nov 2 2006 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
25600 Nov 2 2006 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
25600 Oct 31 2006 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
25600 Oct 31 2006 "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1160957683\ee\aollaunch.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe"
25600 Nov 2 2006 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Feb 15 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
25600 Nov 2 2006 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Aug 5 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
25600 Nov 2 2006 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Feb 15 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
158208 Aug 4 2004 "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"
158208 Aug 4 2004 "C:\WINDOWS\pchealth\helpctr\binaries\bak\MSConfig.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\Shared\_\AOLsoft IconExtractor v1.1.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\My Documents\Morpheus Shared\_\AOLsoft IconExtractor v1.1.exe"
25600 Oct 31 2006 "C:\Program Files\Common Files\AOL\1160957683\ee\AOLSoftware.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1160957683\ee\bak\AOLSoftware.exe"


end of report

#10 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:21 PM

Posted 04 November 2006 - 04:57 PM

Ok, I've been doing some research and I'm up to speed with the infection now.
Let's move onto the next step - stick with this, it'll be interesting.

Please download, install, and update AVG antispyware
Load Ewido and then click the Update tab at the top.
Under Manual Update click Start update.

After the update finishes (the status bar at the bottom will display "Update successful")
Then click on the Scanner tab at the top.
Click the "Settings" tab and then change the recommended action to Quarantine.
Click Automatically generate report after every scan.
Click back to the "Scan" tab and then click on Complete System Scan.
This scan can take quite a while to run, so be prepared.
Ewido will list any infections found on the left hand side.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

When the scan has finished, it will automatically set the recommended action.
Click the Apply all actions button.
AVG antispyware will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As".
This will create a text file. Make sure you know where to find this file again (like on the Desktop).
Close AVG antispyware and reboot!! Post the log here.

David

Edited by D-Trojanator, 04 November 2006 - 04:57 PM.


#11 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 04 November 2006 - 06:20 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 3:17:21 PM 11/4/2006

+ Scan result:



C:\Documents and Settings\All Users\Application Data\AutoSearch.dll -> Adware.AutoSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Classes\AutoSearch.AutoSearchObj -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Classes\AutoSearch.AutoSearchObj.1 -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Classes\AutoSearch.AutoSearchObj\CLSID -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Classes\AutoSearch.AutoSearchObj\CurVer -> Adware.CoolWebSearch : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Adware.MoneyTree : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Adware.MoneyTree : Cleaned with backup (quarantined).
C:\!KillBox\NDNuninstall6_38-1.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\NDNuninstall7_22-1.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\!KillBox\NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\New.net Startup -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKLM\SOFTWARE\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-19\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-20\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\New.net -> Adware.NewDotNet : Cleaned with backup (quarantined).
[1036] C:\Program Files\NewDotNet\newdotnet7_22-1.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
[1200] C:\Program Files\NewDotNet\newdotnet7_22-1.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
[1276] C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL -> Adware.NewDotNet : Cleaned with backup (quarantined).
[1868] C:\Program Files\NewDotNet\newdotnet7_22-1.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
[2388] C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL -> Adware.NewDotNet : Cleaned with backup (quarantined).
[596] C:\Program Files\NewDotNet\newdotnet7_22-1.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
[800] C:\Program Files\NewDotNet\newdotnet7_22-1.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
[868] C:\Program Files\NewDotNet\newdotnet7_22-1.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
[924] C:\Program Files\NewDotNet\newdotnet7_22-1.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined).
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined).
HKU\S-1-5-21-3858116280-1495037334-1718047414-1009\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A8B28872-3324-4CD2-8AA3-7D555C872D96} -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SpyWareWall -> Adware.SpywareWall : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SpyWareWall\error.log -> Adware.SpywareWall : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SpyWareWall\history.dat -> Adware.SpywareWall : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SpyWareWall\schedule.dat -> Adware.SpywareWall : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SpyWareWall\stats.log -> Adware.SpywareWall : Cleaned with backup (quarantined).
C:\Documents and Settings\All Users\Application Data\SpyWareWall\user.dat -> Adware.SpywareWall : Cleaned with backup (quarantined).
C:\!KillBox\lt5vsrs.dll -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\!KillBox\pgbr3p.exe -> Adware.Suggestor : Cleaned with backup (quarantined).
C:\!KillBox\dxclib303562752.dll -> Adware.SurfSide : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Local Settings\Temp\tm20147.exe -> Logger.Delf.or : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Local Settings\Temp\tm31698.exe -> Logger.Delf.or : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Local Settings\Temp\tm47703.exe -> Logger.Delf.or : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Local Settings\Temp\tm57256.exe -> Logger.Delf.or : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Local Settings\Temp\tm63281.exe -> Logger.Delf.or : Cleaned with backup (quarantined).
:mozilla.300:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.247realmedia : Cleaned.
:mozilla.168:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.192:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.301:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.325:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.72:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.73:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.75:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.76:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.77:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.78:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.79:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.80:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.81:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.82:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.83:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.84:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.85:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.86:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.87:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.88:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.224:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.225:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.226:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.227:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.228:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.229:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.230:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.231:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.236:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.237:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.238:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.239:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.240:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.241:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.242:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.243:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.244:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.245:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.246:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.318:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.319:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.320:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.321:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.322:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.323:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.324:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.351:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.352:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.353:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Aavalue : Cleaned.
:mozilla.378:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.98:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.367:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.368:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.369:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.370:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.371:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.372:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.500:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.553:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.555:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.558:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.559:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.561:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.562:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.563:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.564:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.611:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.628:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.503:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.504:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.505:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.506:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.507:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.41:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.43:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.44:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.53:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.57:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.58:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.59:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.60:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.61:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.62:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.63:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.64:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.65:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.66:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.67:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.150:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.438:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Bridgetrack : Cleaned.
:mozilla.32:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Burstbeacon : Cleaned.
:mozilla.35:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.36:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.37:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.10:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.11:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.12:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.13:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.14:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.7:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.530:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Cookies\guest@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
C:\Documents and Settings\Guest\Cookies\guest@centrport[1].txt -> TrackingCookie.Centrport : Cleaned.
:mozilla.565:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
:mozilla.501:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.502:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.447:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.499:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Coremetrics : Cleaned.
:mozilla.17:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.492:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.366:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.102:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.103:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.521:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Falkag : Cleaned.
:mozilla.99:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.515:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.516:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.623:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.182:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Hotlog : Cleaned.
:mozilla.625:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.627:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.108:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.109:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.110:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.567:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.568:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Liveperson : Cleaned.
:mozilla.30:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.31:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.397:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.398:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Onestat : Cleaned.
:mozilla.379:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Overture : Cleaned.
:mozilla.478:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.479:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.480:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.481:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.91:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.92:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Qksrv : Cleaned.
:mozilla.476:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Cookies\guest@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.186:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.187:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.291:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.296:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.297:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.298:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.299:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.626:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Shopathomeselect : Cleaned.
:mozilla.491:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.183:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Spylog : Cleaned.
:mozilla.285:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.286:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.287:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Starware : Cleaned.
:mozilla.270:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.271:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.272:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.273:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.274:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.275:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.276:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.277:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.278:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.279:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.33:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.34:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.581:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Targetnet : Cleaned.
:mozilla.413:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.414:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Tradedoubler : Cleaned.
:mozilla.143:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.144:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.382:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Trafic : Cleaned.
:mozilla.146:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.430:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.431:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.432:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.433:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.434:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.435:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Valuead : Cleaned.
:mozilla.407:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Valueclick : Cleaned.
:mozilla.307:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.308:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
:mozilla.189:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.111:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.112:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.113:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.114:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.115:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.116:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Cookies\guest@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.175:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
:mozilla.176:C:\Documents and Settings\HP_Owner\Application Data\Mozilla\Firefox\Profiles\lhuokkrl.default\cookies.txt -> TrackingCookie.Zedo : Cleaned.
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Local Settings\Temp\197010_2656_5528_2924_79.41.tst1 -> Trojan.EliteBar.d : Cleaned with backup (quarantined).
C:\Documents and Settings\Guest.YOUR-4F1261A8E5\Local Settings\Temp\k_FD5C.tmp -> Trojan.EliteBar.f : Cleaned with backup (quarantined).


::Report end

#12 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:21 PM

Posted 05 November 2006 - 05:17 PM

Hey there,

It is a good idea to print off these instructions:
This will be useful as there is a possibility some of the instructions will need to be carried out where internet access is not available.
You may also like to save these instructions in word/notepad to the desktop where they can be easily found for the same reasons as above.
A print out of the instructions would be a good reference to make sure you don't yet lost.
Also, it is important that you complete the instructions in the right order, and also that you don't miss any steps out!
If you have any queries about the process or just general questions, just ask.

Please download the Suspicious File Packer from here:
http://www.safer-networking.org/files/sfp.zip
Unzip it to the desktop and do not run it.

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Open the Suspicious File Packer.

Paste the following bold part into the Suspicious File Packer window:

C:\WINDOWS\CREATOR\Remind_XP.exe
C:\WINDOWS\SMINST\RECGUARD.EXE
C:\WINDOWS\system\hpsysdrv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\hphmon06.exe
C:\WINDOWS\system32\ps2.exe


Allow SFP to pack the file. This will generate a CAB archive on your desktop.

Reboot back to normal mode now.

Go to this page.
Enter the url of this thread in the first field.
Where it says, browse to the file that you want to submit, click the browse button next to the second field and browse to the CAB archive that was been created on your desktop.
The cab file will be called requested-files[*].cab (the * stands for the date and hour).
Then click the Send File button below.
Please let me know when you have submitted the files.

Please uninstall Internet Optimizer from add/remove in the control panel, if not done already.

Open notepad and copy and paste the following text in the quote box into the window:

@echo off

if exist C:\hp\KBD\KBD.EXE del /q C:\hp\KBD\KBD.EXE
copy C:\HP\KBD\BAK\KBD.EXE C:\hp\KBD

if exist "C:\Program Files\AIM\aim.exe" del /q "C:\Program Files\AIM\aim.exe"
copy "C:\Program Files\AIM\bak\aim.exe" "C:\Program Files\AIM"

if exist "C:\Program Files\Ares\Ares.exe" del /q "C:\Program Files\Ares\Ares.exe"
copy "C:\Program Files\Ares\bak\Ares.exe" "C:\Program Files\Ares"

if exist "C:\Program Files\iTunes\iTunesHelper.exe" del /q "C:\Program Files\iTunes\iTunesHelper.exe"
copy "C:\Program Files\iTunes\bak\iTunesHelper.exe" "C:\Program Files\iTunes"

if exist "C:\Program Files\Norton Internet Security\cfgwiz.exe" del /q "C:\Program Files\Norton Internet Security\cfgwiz.exe"
copy "C:\Program Files\Norton Internet Security\bak\cfgwiz.exe" "C:\Program Files\Norton Internet Security"

if exist C:\WINDOWS\CREATOR\Remind_XP.exe del /q C:\WINDOWS\CREATOR\Remind_XP.exe
copy C:\WINDOWS\CREATOR\bak\Remind_XP.exe C:\WINDOWS\CREATOR

if exist C:\WINDOWS\SMINST\RECGUARD.EXE del /q C:\WINDOWS\SMINST\RECGUARD.EXE
copy C:\WINDOWS\SMINST\bak\RECGUARD.EXE C:\WINDOWS\SMINST\

if exist C:\WINDOWS\system\hpsysdrv.exe del /q C:\WINDOWS\system\hpsysdrv.exe
copy C:\WINDOWS\system\bak\hpsysdrv.exe C:\WINDOWS\system

if exist C:\WINDOWS\system32\ctfmon.exe del /q C:\WINDOWS\system32\ctfmon.exe
copy C:\WINDOWS\system32\bak\ctfmon.exe C:\WINDOWS\system32

if exist C:\WINDOWS\system32\hkcmd.exe del /q C:\WINDOWS\system32\hkcmd.exe
copy C:\WINDOWS\system32\bak\hkcmd.exe C:\WINDOWS\system32

if exist C:\WINDOWS\system32\hphmon06.exe del /q C:\WINDOWS\system32\hphmon06.exe
copy C:\WINDOWS\system32\bak\hphmon06.exe C:\WINDOWS\system32

if exist C:\WINDOWS\system32\ps2.exe del /q C:\WINDOWS\system32\ps2.exe
copy C:\WINDOWS\system32\bak\ps2.exe C:\WINDOWS\system32

if exist C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe del /q C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
copy C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe C:\hp\drivers\hplsbwatcher

if exist "C:\Program Files\Common Files\Symantec Shared\ccApp.exe del" /q "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
copy "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe" "C:\Program Files\Common Files\Symantec Shared"

if exist "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" del /q "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"
copy "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe" "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}"

if exist "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"del /q "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
copy "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe" "C:\Program Files\Common Files\AOL\IPHSend"

if exist "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe"del /q "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe"
copy "C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe" "C:\Program Files\Common Files\AOL\Launch"

if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB"

if exist "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" del /q "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
copy "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe" "C:\Program Files\Common Files\Symantec Shared\Security Center"

if exist "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" del /q "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
copy "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe" "C:\Program Files\Java\j2re1.4.2_03\bin"

if exist "C:\Program Files\Common Files\AOL\1160957683\ee\AOLSoftware.exe" del /q "C:\Program Files\Common Files\AOL\1160957683\ee\AOLSoftware.exe"
copy "C:\Program Files\Common Files\AOL\1160957683\ee\bak\AOLSoftware.exe" "C:\Program Files\Common Files\AOL\1160957683\ee"

del /q C:\BAK\dfndrff_e46a.exe
del /q C:\BAK\kybrdff_e46.exe
del /q C:\BAK\nwnmff_e46.exe
del /q C:\WINDOWS\BAK\Duce6.exe
del /q C:\WINDOWS\BAK\eltonehour.exe
del /q C:\WINDOWS\BAK\loader1239734.exe
del /q C:\WINDOWS\BAK\ms036151162175.exe
del /q C:\WINDOWS\BAK\ms041511621756.exe
del /q C:\WINDOWS\BAK\sys025615116217.exe
del /q C:\WINDOWS\BAK\v1201.exe
del /q C:\WINDOWS\BAK\win32071621756151.exe
del /q C:\WINDOWS\BAK\xpupdate.exe
del /q C:\bintheredunthat\ms0361511621752006.exe
del /q C:\bintheredunthat\sys0256151162172006.exe
del /q C:\WINDOWS\system32\bak\rnnypbw.exe
del /q C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe.tmp

rmdir "C:\Documents and Settings\HP_Owner\Internet Optimizer"

Save this as fix.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Do not run it yet! (Very Important)

Now reboot into Safe Mode.
This can be done tapping the F8 key as soon as you start your computer
You will be brought to a menu where you can choose to boot into safe mode.
Make sure you choose the option without networking support.

Doubleclick fix.bat and let the program run.

Reboot back to normal mode now.

Start notepad again and copy the following in:

reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify" /s >>notify.txt
start notify.txt

Save this as look.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
In normal mode doubleclick look.bat and let the program run.
Copy and paste the text that opens back here.

Now run findawf.exe again and copy and paste the output text here.

Please post back with the two logs.
David

Edited by D-Trojanator, 06 November 2006 - 04:13 AM.


#13 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 07 November 2006 - 07:45 PM

Find AWF report by noahdfear 2006


21504 byte files found
~~~~~~~~~~~~~



21504 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



25600 byte files found
~~~~~~~~~~~~~

25600 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe"


25600 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



26450 byte files found
~~~~~~~~~~~~~



26450 byte files sorted with strings
~~~~~~~~~~~~~~~~~~~~~



bak folders found
~~~~~~~~~~~


Directory of C:\BAK

0 File(s) 0 bytes

Directory of C:\WINDOWS\BAK

0 File(s) 0 bytes

Directory of C:\HP\KBD\BAK

02/11/2003 06:02 PM 61,440 KBD.EXE
1 File(s) 61,440 bytes

Directory of C:\PROGRA~1\AIM\BAK

08/05/2005 02:08 PM 67,160 aim.exe
1 File(s) 67,160 bytes

Directory of C:\PROGRA~1\ARES\BAK

11/22/2005 06:29 PM 1,219,584 Ares.exe
1 File(s) 1,219,584 bytes

Directory of C:\PROGRA~1\DELUXE~1\BAK


Directory of C:\PROGRA~1\ITUNES\BAK

10/13/2004 11:04 PM 278,528 iTunesHelper.exe
1 File(s) 278,528 bytes

Directory of C:\PROGRA~1\NORTON~1\BAK

08/17/2004 09:36 PM 132,248 cfgwiz.exe
1 File(s) 132,248 bytes

Directory of C:\WINDOWS\CREATOR\BAK

12/14/2004 01:23 AM 663,552 Remind_XP.exe
1 File(s) 663,552 bytes

Directory of C:\WINDOWS\SMINST\BAK

04/14/2004 07:43 PM 233,472 RECGUARD.EXE
1 File(s) 233,472 bytes

Directory of C:\WINDOWS\SYSTEM\BAK

05/07/1998 03:04 PM 52,736 hpsysdrv.exe
1 File(s) 52,736 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 10:00 AM 15,360 ctfmon.exe
11/02/2004 02:59 PM 126,976 hkcmd.exe
06/07/2004 05:42 PM 659,456 hphmon06.exe
10/25/2004 08:17 PM 90,112 ps2.exe
4 File(s) 891,904 bytes

Directory of C:\DOCUME~1\HP_OWNER\INTERN~1\BAK

09/01/2006 01:52 PM 53,120 optimize.exe
1 File(s) 53,120 bytes

Directory of C:\HP\DRIVERS\HPLSBW~1\BAK

10/14/2004 08:54 PM 253,952 lsburnwatcher.exe
1 File(s) 253,952 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\BAK

08/27/2004 10:22 PM 58,488 ccApp.exe
1 File(s) 58,488 bytes

Directory of C:\PROGRA~1\COMMON~1\WWUR\BAK

0 File(s) 0 bytes

Directory of C:\PROGRA~1\HP\{AAC4F~1\BAK

06/07/2004 05:53 PM 49,152 hphupd06.exe
1 File(s) 49,152 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\IPHSEND\BAK

02/17/2006 08:59 AM 124,520 IPHSend.exe
1 File(s) 124,520 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\LAUNCH\BAK

05/09/2006 04:24 PM 50,760 AOLLaunch.exe
1 File(s) 50,760 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

02/15/2005 01:02 PM 180,269 realsched.exe
1 File(s) 180,269 bytes

Directory of C:\PROGRA~1\COMMON~1\SYMANT~1\SECURI~1\BAK

08/05/2004 04:23 PM 218,240 UsrPrmpt.exe
1 File(s) 218,240 bytes

Directory of C:\PROGRA~1\JAVA\J2RE14~1.2_0\BIN\BAK

02/15/2005 12:37 PM 32,881 jusched.exe
1 File(s) 32,881 bytes

Directory of C:\WINDOWS\PCHEALTH\HELPCTR\BINARIES\BAK

08/04/2004 10:00 AM 158,208 MSConfig.exe
1 File(s) 158,208 bytes

Directory of C:\PROGRA~1\COMMON~1\AOL\116095~1\EE\BAK

05/09/2006 04:24 PM 50,760 AOLSoftware.exe
1 File(s) 50,760 bytes


Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

3072 Nov 2 2006 "C:\WINDOWS\bak\loader1238343.exe"
61440 Feb 11 2003 "C:\hp\KBD\KBD.EXE"
61440 Feb 11 2003 "C:\hp\KBD\bak\KBD.EXE"
67160 Aug 5 2005 "C:\Program Files\AIM\aim.exe"
67160 Aug 5 2005 "C:\Program Files\AIM\bak\aim.exe"
1219584 Nov 22 2005 "C:\Program Files\Ares\Ares.exe"
1219584 Nov 22 2005 "C:\Program Files\Ares\bak\Ares.exe"
278528 Oct 13 2004 "C:\Program Files\iTunes\iTunesHelper.exe"
278528 Oct 13 2004 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\_\iTunes 5.0.0.35.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\Shared\_\iTunes for Windows 4.2.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\Shared\_\ITunes iSync v2.1.6.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\My Documents\Morpheus Shared\_\ITunes iSync v2.1.6.exe"
132248 Aug 17 2004 "C:\Program Files\Norton Internet Security\cfgwiz.exe"
132248 Aug 17 2004 "C:\Program Files\Norton Internet Security\bak\cfgwiz.exe"
132248 Aug 17 2004 "C:\Program Files\Norton Internet Security\Norton AntiVirus\CfgWiz.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\Remind_XP.exe"
663552 Dec 14 2004 "C:\WINDOWS\CREATOR\bak\Remind_XP.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\Shared\_\Remind 5.54.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\Shared\_\Reminder v2.11d.exe"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\RECGUARD.EXE"
233472 Apr 14 2004 "C:\WINDOWS\SMINST\bak\RECGUARD.EXE"
52736 May 7 1998 "C:\WINDOWS\system\hpsysdrv.exe"
52736 May 7 1998 "C:\WINDOWS\system\bak\hpsysdrv.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\hkcmd.exe"
126976 Nov 2 2004 "C:\hp\drivers\video_Intel\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\bak\hkcmd.exe"
126976 Nov 2 2004 "C:\WINDOWS\system32\ReinstallBackups\0001\DriverFiles\hkcmd.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\hphmon06.exe"
659456 Jun 7 2004 "C:\WINDOWS\system32\bak\hphmon06.exe"
90112 Oct 25 2004 "C:\WINDOWS\system32\ps2.exe"
90112 Oct 25 2004 "C:\hp\drivers\keyboard\PS2.EXE"
90112 Oct 25 2004 "C:\WINDOWS\system32\bak\ps2.exe"
53120 Sep 1 2006 "C:\Documents and Settings\HP_Owner\Internet Optimizer\optimize.exe"
53120 Sep 1 2006 "C:\Documents and Settings\HP_Owner\Internet Optimizer\bak\optimize.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\lsburnwatcher.exe"
253952 Oct 14 2004 "C:\hp\drivers\hplsbwatcher\bak\lsburnwatcher.exe"
58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
58488 Aug 27 2004 "C:\Program Files\Common Files\Symantec Shared\bak\ccApp.exe"
49152 Jun 7 2004 "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\IPHSend.exe"
124520 Feb 17 2006 "C:\Program Files\Common Files\AOL\IPHSend\bak\IPHSend.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\Launch\AOLLaunch.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1160957683\ee\aollaunch.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\Launch\bak\AOLLaunch.exe"
180269 Feb 15 2005 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
180269 Feb 15 2005 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"
218240 Aug 5 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe"
218240 Aug 5 2004 "C:\Program Files\Common Files\Symantec Shared\Security Center\bak\UsrPrmpt.exe"
32881 Feb 15 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe"
32881 Feb 15 2005 "C:\Program Files\Java\j2re1.4.2_03\bin\bak\jusched.exe"
158208 Aug 4 2004 "C:\WINDOWS\pchealth\helpctr\binaries\msconfig.exe"
158208 Aug 4 2004 "C:\WINDOWS\pchealth\helpctr\binaries\bak\MSConfig.exe"
268800 Mar 16 2006 "C:\Program Files\LimeWire\Shared\_\AOLsoft IconExtractor v1.1.exe"
268800 Mar 16 2006 "C:\Documents and Settings\HP_Owner\My Documents\Morpheus Shared\_\AOLsoft IconExtractor v1.1.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1160957683\ee\AOLSoftware.exe"
50760 May 9 2006 "C:\Program Files\Common Files\AOL\1160957683\ee\bak\AOLSoftware.exe"


end of report



! REG.EXE VERSION 3.0

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\crypt32chain
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ crypt32.dll
Logoff REG_SZ ChainWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cryptnet
Asynchronous REG_DWORD 0x0
Impersonate REG_DWORD 0x0
DllName REG_EXPAND_SZ cryptnet.dll
Logoff REG_SZ CryptnetWlxLogoffEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\cscdll
DLLName REG_SZ cscdll.dll
Logon REG_SZ WinlogonLogonEvent
Logoff REG_SZ WinlogonLogoffEvent
ScreenSaver REG_SZ WinlogonScreenSaverEvent
Startup REG_SZ WinlogonStartupEvent
Shutdown REG_SZ WinlogonShutdownEvent
StartShell REG_SZ WinlogonStartShellEvent
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\igfxcui
<NO NAME> REG_SZ
DLLName REG_SZ igfxsrvc.dll
Asynchronous REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Unlock REG_SZ WinlogonUnlockEvent

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ScCertProp
DLLName REG_SZ wlnotify.dll
Logon REG_SZ SCardStartCertProp
Logoff REG_SZ SCardStopCertProp
Lock REG_SZ SCardSuspendCertProp
Unlock REG_SZ SCardResumeCertProp
Enabled REG_DWORD 0x1
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Schedule
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
StartShell REG_SZ SchedStartShell
Logoff REG_SZ SchedEventLogOff

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\sclgntfy
Logoff REG_SZ WLEventLogoff
Impersonate REG_DWORD 0x0
Asynchronous REG_DWORD 0x1
DllName REG_EXPAND_SZ sclgntfy.dll

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\SensLogn
DLLName REG_SZ WlNotify.dll
Lock REG_SZ SensLockEvent
Logon REG_SZ SensLogonEvent
Logoff REG_SZ SensLogoffEvent
Safe REG_DWORD 0x1
MaxWait REG_DWORD 0x258
StartScreenSaver REG_SZ SensStartScreenSaverEvent
StopScreenSaver REG_SZ SensStopScreenSaverEvent
Startup REG_SZ SensStartupEvent
Shutdown REG_SZ SensShutdownEvent
StartShell REG_SZ SensStartShellEvent
PostShell REG_SZ SensPostShellEvent
Disconnect REG_SZ SensDisconnectEvent
Reconnect REG_SZ SensReconnectEvent
Unlock REG_SZ SensUnlockEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\termsrv
Asynchronous REG_DWORD 0x0
DllName REG_EXPAND_SZ wlnotify.dll
Impersonate REG_DWORD 0x0
Logoff REG_SZ TSEventLogoff
Logon REG_SZ TSEventLogon
PostShell REG_SZ TSEventPostShell
Shutdown REG_SZ TSEventShutdown
StartShell REG_SZ TSEventStartShell
Startup REG_SZ TSEventStartup
MaxWait REG_DWORD 0x258
Reconnect REG_SZ TSEventReconnect
Disconnect REG_SZ TSEventDisconnect

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\wlballoon
DLLName REG_SZ wlnotify.dll
Logon REG_SZ RegisterTicketExpiredNotificationEvent
Logoff REG_SZ UnregisterTicketExpiredNotificationEvent
Impersonate REG_DWORD 0x1
Asynchronous REG_DWORD 0x1

#14 -David-

-David-

  • Members
  • 10,603 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:London
  • Local time:05:21 PM

Posted 08 November 2006 - 12:39 PM

Hey there, nearly done on this infection, just one more batch to go.
Open notepad and copy and paste the following text in the quote box into the window:

@echo off
if exist "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe" del /q "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak\hphupd06.exe" copy "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe" "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}"

rmdir "C:\WINDOWS\bak"
rmdir "C:\hp\KBD\bak"
rmdir "C:\Program Files\AIM\bak"
rmdir "C:\Program Files\Ares\bak"
rmdir "C:\Program Files\iTunes\bak"
rmdir "C:\Program Files\Norton Internet Security\bak"
rmdir "C:\WINDOWS\CREATOR\bak"
rmdir "C:\WINDOWS\SMINST\bak"
rmdir "C:\WINDOWS\system\bak"
rmdir "C:\WINDOWS\system32\bak"
rmdir "C:\Documents and Settings\HP_Owner\Internet Optimizer"
rmdir "C:\hp\drivers\hplsbwatcher\bak"
rmdir "C:\Program Files\Common Files\Symantec Shared\bak"
rmdir "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak"
rmdir "C:\Program Files\Common Files\AOL\IPHSend\bak"
rmdir "C:\Program Files\Common Files\AOL\Launch\bak"
rmdir "C:\Program Files\Common Files\Real\Update_OB\bak"
rmdir "C:\Program Files\Common Files\Symantec Shared\Security Center\bak"
rmdir "C:\Program Files\Java\j2re1.4.2_03\bin\bak"
rmdir "C:\WINDOWS\pchealth\helpctr\binaries\bak"
rmdir "C:\Program Files\Common Files\AOL\1160957683\ee\bak"

echo "Found folders"...>>fixme.txt
If exist "C:\WINDOWS\bak" echo C:\WINDOWS\bak FOUND>>fixme.txt
If exist "C:\hp\KBD\bak" echo C:\hp\KBD\bak FOUND>>fixme.txt
If exist "C:\Program Files\AIM\bak" echo C:\Program Files\AIM\bak FOUND>>fixme.txt
If exist "C:\Program Files\Ares\bak" echo C:\Program Files\Ares\bak FOUND>>fixme.txt
If exist "C:\Program Files\iTunes\bak" echo C:\Program Files\iTunes\bak FOUND>>fixme.txt
If exist "C:\Program Files\Norton Internet Security\bak" echo C:\Program Files\Norton Internet Security\bak FOUND>>fixme.txt
If exist "C:\WINDOWS\CREATOR\bak" echo C:\WINDOWS\CREATOR\bak FOUND>>fixme.txt
If exist "C:\WINDOWS\SMINST\bak" echo C:\WINDOWS\SMINST\bak FOUND>>fixme.txt
If exist "C:\WINDOWS\system\bak" echo C:\WINDOWS\system\bak FOUND>>fixme.txt
If exist "C:\WINDOWS\system32\bak" echo C:\WINDOWS\system32\bak FOUND>>fixme.txt
If exist "C:\Documents and Settings\HP_Owner\Internet Optimizer" echo C:\Documents and Settings\HP_Owner\Internet Optimizer\bak FOUND>>fixme.txt
If exist "C:\hp\drivers\hplsbwatcher\bak" echo C:\hp\drivers\hplsbwatcher\bak FOUND>>fixme.txt
If exist "C:\Program Files\Common Files\Symantec Shared\bak" echo C:\Program Files\Common Files\Symantec Shared\bak FOUND>>fixme.txt
If exist "C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak" echo C:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\bak FOUND>>fixme.txt
If exist "C:\Program Files\Common Files\AOL\IPHSend\bak" echo C:\Program Files\Common Files\AOL\IPHSend\bak FOUND>>fixme.txt
If exist "C:\Program Files\Common Files\AOL\Launch\bak" echo C:\Program Files\Common Files\AOL\Launch\bak FOUND>>fixme.txt
If exist "C:\Program Files\Common Files\Real\Update_OB\bak" echo C:\Program Files\Common Files\Real\Update_OB\bak FOUND>>fixme.txt
If exist "C:\Program Files\Common Files\Symantec Shared\Security Center\bak" echo
C:\Program Files\Common Files\Symantec Shared\Security Center\bak FOUND>>fixme.txt
If exist "C:\Program Files\Java\j2re1.4.2_03\bin\bak" echo C:\Program
Files\Java\j2re1.4.2_03\bin\bak FOUND>>fixme.txt
If exist "C:\WINDOWS\pchealth\helpctr\binaries\bak" echo
C:\WINDOWS\pchealth\helpctr\binaries\bak FOUND>>fixme.txt
If exist "C:\Program Files\Common Files\AOL\1160957683\ee\bak" echo C:\Program Files\Common Files\AOL\1160957683\ee\bak FOUND>>fixme.txt

start fixme.txt

Save this as fixme.bat
Choose to save as all files.
This is how the batch must look afterwards: Posted Image
Doubleclick fixme.bat and let the program run.

Post back with that log (probably going to be very short).
Also post a new Hijackthis log and we can go about fixing the rest of the PC.

Also, Run HijackThis.
On the first menu, click Open the Misc Tools Section
Click Open Uninstall Manager
Click Save List - Save it anywhere.
A notepad will pop-up after it's saved, please copy everything in that Notepad and paste it here.

David

Edited by D-Trojanator, 08 November 2006 - 12:41 PM.


#15 kim762

kim762
  • Topic Starter

  • Members
  • 18 posts
  • OFFLINE
  •  
  • Local time:11:21 AM

Posted 08 November 2006 - 08:01 PM

"Found folders"...
C:\WINDOWS\bak FOUND
C:\hp\KBD\bak FOUND
C:\Program Files\AIM\bak FOUND
C:\Program Files\Ares\bak FOUND
C:\Program Files\iTunes\bak FOUND
C:\Program Files\Norton Internet Security\bak FOUND
C:\WINDOWS\CREATOR\bak FOUND
C:\WINDOWS\SMINST\bak FOUND
C:\WINDOWS\system\bak FOUND
C:\WINDOWS\system32\bak FOUND
C:\Documents and Settings\HP_Owner\Internet Optimizer\bak FOUND
C:\hp\drivers\hplsbwatcher\bak FOUND
C:\Program Files\Common Files\Symantec Shared\bak FOUND
C:\Program Files\Common Files\AOL\IPHSend\bak FOUND
C:\Program Files\Common Files\AOL\Launch\bak FOUND
C:\Program Files\Common Files\Real\Update_OB\bak FOUND
C:\Program Files\Common Files\AOL\1160957683\ee\bak FOUND


Logfile of HijackThis v1.99.1
Scan saved at 4:56:29 PM, on 11/8/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\ALCXMNTR.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterMute\SpySubtract\SpySub.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\VirusBursters\virusbursters.exe
C:\Program Files\Morpheus\Morpheus.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\HP_Owner\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iehomepages.com/
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - {D73F49B6-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\2.bin\MBSRCAS.DLL
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: MorpheusToolbar BHO - {3F3714A1-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\3.bin\MORPHBAR.DLL
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar8.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {D73F49B1-B51B-4d32-A3B7-BD04B8342F53} - C:\Program Files\MorpheusBar\SrchAstt\2.bin\MBSRCAS.DLL
O3 - Toolbar: HP view - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\HPDTLK02.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - c:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Morpheus Toolbar - {3F3714A9-89A4-46be-8AF3-D0C9D1FB03F9} - C:\Program Files\MorpheusBar\bar\3.bin\MORPHBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [HPHUPD06] c:\Program Files\HP\{AAC4FC36-8F89-4587-8DD3-EBC57C83374D}\hphupd06.exe
O4 - HKLM\..\Run: [HPHmon06] C:\WINDOWS\system32\hphmon06.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [IS CfgWiz] c:\Program Files\Norton Internet Security\cfgwiz.exe /GUID {257BBC47-1B26-432e-9F84-188603799DD3} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [SSC_UserPrompt] c:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [IcoSet] c:\hp\bin\cloaker.exe c:\hp\bin\IcoSet\adjust.bat seticon
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [LSBWatcher] c:\hp\drivers\hplsbwatcher\lsburnwatcher.exe
O4 - HKLM\..\Run: [Reminder] "C:\Windows\Creator\Remind_XP.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~2.DLL,ClientStartup -s
O4 - HKLM\..\Run: [Mziao] C:\Program Files\Qtblw\Wxppqt.exe
O4 - HKLM\..\Run: [VirusBursters] C:\Program Files\VirusBursters\virusbursters.exe /h
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: Morpheus.lnk = C:\Program Files\Morpheus\Morpheus.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: SpySubtract.lnk = C:\Program Files\InterMute\SpySubtract\sslaunch.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar8.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar8.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar8.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar8.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar8.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar8.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Filter: text/html - {D1C66A56-872E-4489-BA60-04AA1E2996BB} - C:\WINDOWS\system32\lt5vsrs.dll
O20 - AppInit_DLLs: pushow64.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: IS Service (ISSVC) - Symantec Corporation - c:\Program Files\Norton Internet Security\ISSVC.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - c:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe



Adobe Acrobat - Reader 6.0.2 Update
Adobe Flash Player 9 ActiveX
Adobe Reader 6.0.1
Agere Systems PCI Soft Modem
AVG Anti-Spyware 7.5
Blackhawk Striker 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 from Hewlett-Packard Desktops (remove only)
Blasterball 2 Remix from Hewlett-Packard Desktops (remove only)
Bounce Symphony from Hewlett-Packard Desktops (remove only)
CC_ccProxyExt
ccCommon
ccPxyCore
Crystal Maze from Hewlett-Packard Desktops (remove only)
Easy Internet Sign-up
Google Toolbar for Internet Explorer
Help and Support Additions
HijackThis 1.99.1
HP Deskjet Preloaded Printer Drivers
HP Image Zone 4.5.3
HP Image Zone Plus 4.5.3
HP Organize
HP Photosmart Cameras 4.0
HP PSC & OfficeJet 4.0
HP Software Update
HPIZplus450
Intel® Extreme Graphics Driver
IntelliMover Data Transfer Demo
InterVideo DiscLabel
InterVideo WinDVD Creator
InterVideo WinDVD Player
iTunes
Java 2 Runtime Environment, SE v1.4.2_03
KBD
LiveReg (Symantec Corporation)
LiveUpdate 2.5 (Symantec Corporation)
Microsoft .NET Framework 1.1
Microsoft Office Standard Edition 2003
Microsoft Plus! Dancer LE
Microsoft Plus! Digital Media Edition Installer
Microsoft Plus! Photo Story 2 LE
Microsoft Works
Morpheus 5.3 (remove only)
Morpheus Toolbar
MSRedist
muvee autoProducer 3.5 magicMoments - HPD
Norton AntiSpam
Norton AntiVirus 2005
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security 2005 (Symantec Corporation)
Norton Security Center
Norton WMI Update
Norton WMI Update
Orbital from Hewlett-Packard Desktops (remove only)
Overball from Hewlett-Packard Desktops (remove only)
PC-Doctor for Windows
Photosmart 320,370,7400,8100,8400 Series
Polar Bowler from Hewlett-Packard Desktops (remove only)
Polar Golfer from Hewlett-Packard Desktops (remove only)
PS2
Python 2.2 pywin32 extensions (build 203)
Python 2.2.3
QuickTime
RealPlayer
Road Ready Streetwise from Hewlett-Packard Desktops (remove only)
Shrek 2 Ogre Bowler from Hewlett-Packard Desktops (remove only)
Sonic Express Labeler
Sonic RecordNow!
SPBBC
SpySubtract
Super Granny from Hewlett-Packard Desktops (remove only)
SymNet
Tradewinds from Hewlett-Packard Desktops (remove only)
Updates from HP
VirusBursters 6.2
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB883667
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888239
Windows XP Hotfix - KB890175




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users