Tech Support Forum - View Single Post - Popups, errorsafe.com, WinAntiSpyware2006, drivecleaner2006, etc

blotsome · 08-09-2007, 10:38 AM

I'm not exactly sure how I knew I was infected. I believe it started yesterday with a popup from WinAntiSpyware2006. See, I had become complacent. I hadn't run Ad-aware nor spybot in months, because I had spywareblaster installed and felt I was a safe internet user. However, I have let others use my computer recently. Needless to say, my carelessness got me infected. Right away when I saw there was an issue, I ran spybot, which removed a number of things (webbuyingassistant, virtumonde, etc). However, it couldn't remove everything, not even after start up. I also ran ad-aware which removed some more stuff. But I am still having popup issues. This morning when I ran spybot, it couldn't remove drivecleaner2006. And now I am getting popups for some BlackSingles dating site and errorsafe.com. I tried to run the panda online scan, but the scanner crashed right at the very end (or rather the whole system froze up due to internet explorer popups that I had to force quit). Anyway, on to the log:

Deckard's System Scanner v20070807.62
Run by Andrew on 2007-08-09 at 12:15:10
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
18: 2007-08-09 16:15:13 UTC - RP793 - Deckard's System Scanner Restore Point
17: 2007-08-09 15:03:32 UTC - RP792 - Removed WexTech AnswerWorks
16: 2007-08-09 14:53:57 UTC - RP791 - Spybot-S&D Spyware removal
15: 2007-08-08 18:19:51 UTC - RP790 - Spybot-S&D Spyware removal
14: 2007-08-08 17:43:22 UTC - RP789 - Spybot-S&D Spyware removal

-- First Restore Point --
1: 2007-07-17 17:16:05 UTC - RP776 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

System Drive C: has 1.23 GiB (less than 15%) free.

-- HijackThis (run as Andrew.exe) ----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:07:12 AM, on 8/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\WINDOWS\system32\RevoTask.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe
C:\Program Files\Windows NT\hotyge22011.exe
C:\WINDOWS\afbtsukA.exe
C:\PROGRA~1\COMMON~1\PPATCH~1\mshta.exe
C:\WINDOWS\?dobe\l?***.exe
C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\acrobat_sl.exe
C:\hijackthis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R3 - Default URLSearchHook is missing
O1 - Hosts: 62.75.224.159 www.bns1.net
O1 - Hosts: 62.75.224.159 www.bns2.net
O1 - Hosts: 62.75.224.159 www.bns3.net
O1 - Hosts: 62.75.224.159 www.bns4.net
O1 - Hosts: 62.75.224.159 www.bns5.net
O1 - Hosts: 62.75.224.159 www.bns6.net
O1 - Hosts: 62.75.224.159 www.bns7.net
O1 - Hosts: 62.75.224.159 www.bns8.net
O1 - Hosts: 62.75.224.159 www.cms1.net
O1 - Hosts: 62.75.224.159 www.cms2.net
O1 - Hosts: 62.75.224.159 www.cms3.net
O1 - Hosts: 62.75.224.159 www.cms4.net
O1 - Hosts: 62.75.224.159 www.cms5.net
O1 - Hosts: 62.75.224.159 www.cms6.net
O1 - Hosts: 62.75.224.159 www.cms7.net
O1 - Hosts: 62.75.224.159 www.cms8.net
O1 - Hosts: 62.75.224.159 www.rg1.com
O1 - Hosts: 62.75.224.159 www.rg2.com
O1 - Hosts: 62.75.224.159 www.rg3.com
O1 - Hosts: 62.75.224.159 www.rg4.com
O1 - Hosts: 62.75.224.159 www.rg5.com
O1 - Hosts: 62.75.224.159 www.rg6.com
O1 - Hosts: 62.75.224.159 www.rg7.com
O1 - Hosts: 62.75.224.159 www.rg8.com
O1 - Hosts: 62.75.224.159 jcms.cydoor.com
O1 - Hosts: 62.75.224.159 cydoor.com
O1 - Hosts: 62.75.224.159 jnova.cjt1.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.m7z.net
O1 - Hosts: 62.75.224.159 j.2004CMS.com
O1 - Hosts: 62.75.224.159 2004CMS.com
O1 - Hosts: 62.75.224.159 bns1.m7z.net
O1 - Hosts: 62.75.224.159 m7z.net
O1 - Hosts: 62.75.224.159 jcontent.bns1.net
O1 - Hosts: 62.75.224.159 jbns2.cydoor.com
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [PtiuPbmd] Rundll32.exe ptipbm.dll,SetWriteBack
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [RevoTaskbarApp] C:\WINDOWS\system32\RevoTask.exe
O4 - HKLM\..\Run: [mp3infp] "C:\Program Files\mp3infp\mp3infp_regist.exe"
O4 - HKLM\..\Run: [Adobe Version Cue CS2] "C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe"
O4 - HKLM\..\Run: [hotyge] C:\Program Files\Windows NT\hotyge22011.exe
O4 - HKLM\..\Run: [{E1-18-8E-E2-ZN}] C:\DOCUME~1\Andrew\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [afbtsukA] C:\WINDOWS\afbtsukA.exe
O4 - HKLM\..\Run: [{ZN}] C:\WINDOWS\TISKY009.exe SKY009
O4 - HKLM\..\RunOnce: [SpybotDeletingA6798] command /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2021] cmd /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8675] command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun6.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5120] cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun6.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1625] command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6883] cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA7497] command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun4.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC241] cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun4.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA126] command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3392] cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2974] command /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2734] cmd /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingA550] command /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun2.exe_tobedeleted"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5028] cmd /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun2.exe_tobedeleted"
O4 - HKCU\..\Run: [Eomu] "C:\PROGRA~1\COMMON~1\PPATCH~1\mshta.exe" -vt yazb
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.1\webbuying.exe
O4 - HKCU\..\Run: [Vcle] C:\WINDOWS\?dobe\l?***.exe
O4 - HKCU\..\Run: [WinPop] C:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\TISKY009.exe
O4 - Global Startup: Adobe Acrobat Speed Launcher.lnk = ?
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Adobe Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_04\bin\npjpi142_04.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Version Cue CS2 - Adobe Systems Incorporated - C:\Program Files\Adobe\Adobe Version Cue CS2\bin\VersionCueCS2.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\MSN Gaming Zone\prohdy.html

--
End of file - 9604 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 IFPUSB (iriver Internet Audio Player IFP-100) - c:\windows\system32\drivers\ifpusb.sys <Not Verified; iRiver, Inc.; IFP-100>
R0 Vax347b - c:\windows\system32\drivers\vax347b.sys
R0 Vax347s - c:\windows\system32\drivers\vax347s.sys
R1 mbmiodrvr - c:\windows\system32\mbmiodrvr.sys <Not Verified; cansoft@livewiredev.com; Windows (R) 2000 DDK driver>
R3 REVO (Service for Revo Driver (WDM)) - c:\windows\system32\drivers\revo.sys <Not Verified; Midiman/M-Audio; M-Audio Revo WDM Driver>
R3 REVOSENS - c:\windows\system32\drivers\revosens.sys <Not Verified; Sensaura Ltd; >

S3 ENTECH - c:\windows\system32\drivers\entech.sys <Not Verified; EnTech Taiwan; PowerStrip>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Diskeeper - "c:\program files\executive software\diskeeper\dkservice.exe" <Not Verified; Executive Software International, Inc.; Diskeeper (TM) Disk Defragmenter>
R2 DomainService - c:\windows\system32\apuuhtya.exe /service <Not Verified; ; DDC>

S2 Net Agent - c:\windows\dls0523pmw.exe
S3 Adobe Version Cue CS2 - "c:\program files\adobe\adobe version cue cs2\bin\versioncuecs2.exe" -win32service <Not Verified; Adobe Systems Incorporated; Adobe Version Cue CS2>
S4 ATMsrvc (ATM Service) - c:\windows\system32\atmsrvc.exe <Not Verified; Adobe Systems Incorporated; Adobe Type Manager>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {6BDD1FC1-810F-11D0-BEC7-08002BE2092F}
Description: VIA OHCI Compliant IEEE 1394 Host Controller
Device ID: PCI\VEN_1106&DEV_3044&SUBSYS_808A1043&REV_80\3&267A616A&0&38
Manufacturer: VIA
Name: VIA OHCI Compliant IEEE 1394 Host Controller
PNP Device ID: PCI\VEN_1106&DEV_3044&SUBSYS_808A1043&REV_80\3&267A616A&0&38
Service: ohci1394

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: RAID Controller
Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Manufacturer:
Name: RAID Controller
PNP Device ID: PCI\VEN_1106&DEV_3149&SUBSYS_80ED1043&REV_80\3&267A616A&0&78
Service:

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Printer Port
Device ID: ACPI\PNP0400\1
Manufacturer: (Standard port types)
Name: Printer Port (LPT1)
PNP Device ID: ACPI\PNP0400\1
Service: Parport

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ACPI\PNP0501\2
Manufacturer: (Standard port types)
Name: Communications Port (COM2)
PNP Device ID: ACPI\PNP0501\2
Service: Serial

Class GUID: {4D36E978-E325-11CE-BFC1-08002BE10318}
Description: Communications Port
Device ID: ACPI\PNP0501\1
Manufacturer: (Standard port types)
Name: Communications Port (COM1)
PNP Device ID: ACPI\PNP0501\1
Service: Serial

-- Files created between 2007-07-09 and 2007-08-09 -----------------------------

2007-08-09 12:11:31 21312 --a------ C:\WINDOWS\choice.exe
2007-08-09 12:10:14 0 d-------- C:\ie-spyad
2007-08-09 12:04:51 125504 --a------ C:\WINDOWS\system32\vxmfbmgw.dll
2007-08-09 11:43:34 69184 --a------ C:\WINDOWS\system32\jpsohovp.dll
2007-08-09 11:40:20 4672 --a------ C:\WINDOWS\system32\fiouqsdq.exe
2007-08-09 11:40:16 75328 --a------ C:\WINDOWS\system32\apuuhtya.exe <Not Verified; ; DDC>
2007-08-09 11:40:13 4672 --a------ C:\WINDOWS\system32\mxcruehm.exe
2007-08-09 11:38:09 1757076 ---hs---- C:\WINDOWS\system32\mlkkj.bak2
2007-08-09 11:17:39 0 d-------- C:\WINDOWS\LastGood
2007-08-09 11:06:25 0 d-------- C:\hijackthis
2007-08-09 10:36:47 34816 --a------ C:\WINDOWS\rau001978.exe
2007-08-08 14:23:02 0 d-------- C:\Documents and Settings\LocalService\Desktop
2007-08-08 14:23:01 0 d-------- C:\Documents and Settings\NetworkService\Desktop
2007-08-08 14:22:58 6689 --a------ C:\WINDOWS\system32\ldcore.dll
2007-08-08 14:22:58 9769 --a------ C:\WINDOWS\hrgvx0578.exe
2007-08-08 13:08:43 0 d-------- C:\Documents and Settings\Andrew\Application Data\WinAntiSpyware 2007
2007-08-08 13:07:08 0 dr------- C:\Documents and Settings\All Users\Application Data\SalesMonitor
2007-08-08 13:07:06 79872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys <Not Verified; Windows (R) Codename Longhorn DDK provider; Windows (R) Codename Longhorn DDK driver>
2007-08-08 13:06:52 0 d-------- C:\Program Files\Common Files\WinAntiSpyware 2007
2007-08-08 13:06:49 0 d-------- C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007
2007-08-08 13:05:43 6421 ---hs---- C:\WINDOWS\system32\mlkkj.bak1
2007-08-08 13:05:30 31254 --a------ C:\WINDOWS\system32\ddcyvtu.dll
2007-08-08 13:05:19 231520 --a------ C:\WINDOWS\system32\jkklm.dll
2007-08-08 13:00:26 135168 --a------ C:\WINDOWS\tk58.exe
2007-08-08 13:00:25 2 --a------ C:\WINDOWS\system32\wnstsisv.exe
2007-08-08 13:00:23 0 d-------- C:\WINDOWS\?dobe
2007-08-08 13:00:23 60928 --a------ C:\WINDOWS\system32\magoqwgv.dll
2007-08-08 13:00:23 0 d-------- C:\Program Files\Outerinfo
2007-08-08 13:00:21 65536 --a------ C:\WINDOWS\dls0523pmw.exe
2007-08-08 13:00:21 776352 -r-hs---- C:\WINDOWS\afbtsukA.exe <Not Verified; System Service; System Monitor Service>
2007-08-08 13:00:20 54784 --a------ C:\WINDOWS\afbtsuk.exe
2007-08-08 13:00:19 49152 --a------ C:\WINDOWS\TISKY009.exe
2007-08-08 13:00:18 31254 --a------ C:\WINDOWS\system32\vturpqp.dll
2007-08-08 13:00:18 171520 --a------ C:\WINDOWS\system32\ccaoasc.dll
2007-08-08 13:00:17 0 d-------- C:\WINDOWS\system32\Y2
2007-08-08 13:00:17 0 d-------- C:\WINDOWS\system32\Y1
2007-08-08 13:00:17 0 d-------- C:\WINDOWS\system32\win
2007-08-08 13:00:17 0 d-------- C:\WINDOWS\system32\driver
2007-08-08 13:00:17 0 d-------- C:\WINDOWS\system32\B1
2007-08-08 13:00:16 0 d-------- C:\Program Files\Common Files\??pPatch
2007-08-08 13:00:15 0 d-------- C:\WINDOWS\system32\f02WtR
2007-08-08 13:00:14 31254 --a------ C:\WINDOWS\system32\opnmjkj.dll
2007-08-03 12:57:00 0 d-------- C:\Program Files\CDCheck
2007-07-20 14:27:42 0 d-------- C:\Program Files\CKM
2007-07-17 11:27:12 56320 --a------ C:\WINDOWS\b122.exe

-- Find3M Report ---------------------------------------------------------------

2007-08-09 12:08:19 0 d-------- C:\Program Files\SpywareBlaster
2007-08-09 12:03:02 0 d-------- C:\Program Files\xnews
2007-08-09 11:03:33 0 d--h----- C:\Program Files\InstallShield Installation Information
2007-08-09 11:03:33 0 d-------- C:\Program Files\Common Files
2007-08-08 14:29:24 0 d-------- C:\Program Files\MSN Gaming Zone
2007-08-08 13:00:20 0 d-------- C:\Program Files\Windows NT
2007-08-08 13:00:16 0 d-------- C:\Program Files\Common Files\??pPatch
2007-08-08 12:18:01 0 d-------- C:\Documents and Settings\Andrew\Application Data\Adobe
2007-07-13 14:49:25 0 d-------- C:\Program Files\mIRC
2007-06-22 12:03:20 0 d-------- C:\Program Files\WhereIsMySpace
2007-05-28 11:17:32 4 --a------ C:\WINDOWS\uccspecb.sys
2007-05-28 11:17:28 5519 --a------ C:\WINDOWS\mozver.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3CAC8391-685C-4CFE-2D72-39B60338FFEA}]
08/01/2007 09:43 AM 60928 --a------ C:\WINDOWS\system32\magoqwgv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8D7360D4-F326-4A27-A033-F8E7C0A516CE}]
08/08/2007 01:05 PM 231520 --a------ C:\WINDOWS\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ee649e-d494-4668-9376-d0cf68d0de87}]
08/08/2007 01:00 PM 171520 --a------ C:\WINDOWS\system32\ccaoasc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CF46BFB3-2ACC-441b-B82B-36B9562C7FF1}]
08/09/2007 11:43 AM 69184 --a------ C:\WINDOWS\system32\jpsohovp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E9BD0828-1FD9-410C-A50F-43EBE65D310F}]
08/08/2007 01:00 PM 31254 --a------ C:\WINDOWS\system32\opnmjkj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"PtiuPbmd"="ptipbm.dll" [01/15/2003 03:41 PM C:\WINDOWS\system32\ptipbm.dll]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [12/20/2001 09:42 AM]
"RevoTaskbarApp"="C:\WINDOWS\system32\RevoTask.exe" [04/20/2005 02:44 PM]
"mp3infp"="C:\Program Files\mp3infp\mp3infp_regist.exe" [04/25/2005 11:14 AM]
"Adobe Version Cue CS2"="C:\Program Files\Adobe\Adobe Version Cue CS2\ControlPanel\VersionCueCS2Tray.exe" [04/04/2005 06:58 PM]
"Acrobat Assistant 7.0"="C:\Program Files\Adobe\Adobe Acrobat 7.0\Distillr\Acrotray.exe" [01/12/2006 09:52 PM]
"hotyge"="C:\Program Files\Windows NT\hotyge22011.exe" [08/07/2007 04:30 PM]
"{E1-18-8E-E2-ZN}"="C:\DOCUME~1\Andrew\LOCALS~1\Temp\thinksnet.exe" []
"afbtsukA"="C:\WINDOWS\afbtsukA.exe" [12/12/1989 10:10 AM]
"{ZN}"="C:\WINDOWS\TISKY009.exe" [08/08/2007 01:00 PM]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [11/04/2005 02:04 PM]
"SystemOptimizer"="C:\WINDOWS\system32\vxmfbmgw.dll" [08/09/2007 12:04 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Eomu"="C:\PROGRA~1\COMMON~1\PPATCH~1\mshta.exe" [08/08/2007 01:00 PM]
"WebBuying"="C:\Program Files\Web Buying\v1.8.1\webbuying.exe" []
"Vcle"="C:\WINDOWS\?dobe\l?***.exe" [08/01/2007 09:44 AM]
"WinPop"="C:\Program Files\WinPop\winpop.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA6798"=command /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
"SpybotDeletingC2021"=cmd /c del "C:\WINDOWS\system32\ldcore.dll_tobedeleted_old"
"SpybotDeletingA8675"=command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun6.exe_tobedeleted"
"SpybotDeletingC5120"=cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun6.exe_tobedeleted"
"SpybotDeletingA1625"=command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe_tobedeleted"
"SpybotDeletingC6883"=cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun5.exe_tobedeleted"
"SpybotDeletingA7497"=command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun4.exe_tobedeleted"
"SpybotDeletingC241"=cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun4.exe_tobedeleted"
"SpybotDeletingA126"=command /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe_tobedeleted"
"SpybotDeletingC3392"=cmd /c del "C:\Documents and Settings\NetworkService\Local Settings\Temp\stdrun3.exe_tobedeleted"
"SpybotDeletingA2974"=command /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe_tobedeleted"
"SpybotDeletingC2734"=cmd /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun3.exe_tobedeleted"
"SpybotDeletingA550"=command /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun2.exe_tobedeleted"
"SpybotDeletingC5028"=cmd /c del "C:\Documents and Settings\LocalService\Local Settings\Temp\stdrun2.exe_tobedeleted"

C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\
TA_Start.lnk - C:\WINDOWS\TISKY009.exe [8/8/2007 1:00:19 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Acrobat Speed Launcher.lnk - C:\WINDOWS\Installer\{AC76BA86-1033-0000-7760-000000000002}\SC_Acrobat.exe [8/20/2005 5:03:16 PM]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/19/2004 1:21:20 PM]
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [10/19/2004 1:21:20 PM]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\Program Files\MSN Gaming Zone\prohdy.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{E9BD0828-1FD9-410C-A50F-43EBE65D310F}"= C:\WINDOWS\system32\opnmjkj.dll [08/08/2007 01:00 PM 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklm]
C:\WINDOWS\system32\jkklm.dll 08/08/2007 01:05 PM 231520 C:\WINDOWS\system32\jkklm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\opnmjkj]
opnmjkj.dll 08/08/2007 01:00 PM 31254 C:\WINDOWS\system32\opnmjkj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Andrew^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
path=C:\Documents and Settings\Andrew\Start Menu\Programs\Startup\LimeWire On Startup.lnk
backup=C:\WINDOWS\pss\LimeWire On Startup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ashampoo PopUpBlocker]
C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUpKiller.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iRiver Updater]
\Updater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=2 (0x2)

*Newly Created Service* - DOMAINSERVICE

-- Hosts -----------------------------------------------------------------------

127.0.0.1 ads.web.aol.com
127.0.0.1 ar.atwola.com
127.0.0.1 101order.com
127.0.0.1 123banners.com
127.0.0.1 123found.com
127.0.0.1 180solutions.com
127.0.0.1 247media.com
127.0.0.1 24pm-affiliation.com
127.0.0.1 2o7.net
127.0.0.1 4affiliate.net

1443 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2007-08-09 at 12:23:04 ---------