Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help
winbfi32.dll winbfi32.dll
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

HijackThis Log Help Get Rid Of Malware With Help From Our Analysts. Follow the "First Steps" link at the top right of each page before posting for help.

Reply
 
Thread Tools
Old 10-01-2006, 10:39 AM   #1 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 5
OS: xp `


winbfi32.dll
I have McAfee but it couldn't delete the file "winbfi32.dll". I downloaded hijack this but I'm not sure how to get rid of this virus. Help!!!! Thank you!!!

Logfile of HijackThis v1.99.1
Scan saved at 12:38:24 PM, on 10/1/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\aolavupd.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\mcafee.com\ANTIVI~1\OasClnt.exe
C:\WINDOWS\system32\SAgent4.exe
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\WINDOWS\system32\WgaTray.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
C:\Program Files\Common Files\AOL\1133585381\ee\AOLSoftware.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Common Files\AOL\1133585381\ee\aolsoftware.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\Common Files\AOL\1133585381\ee\SSCEvtHdlr.exe
C:\WINDOWS\TEMP\winA1.tmp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\Program Files\BearShare\BearShare.exe
c:\program files\common files\aol\1133585381\ee\aolssc.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Lauri Friedman\Desktop\New Folder\Smiley!RU.exe
C:\WINDOWS\system32\dumprep.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clienturls.aol.com/safety/us/main/tellmemore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {133E39CF-700A-436C-376F-077939AC7035} - C:\WINDOWS\system32\bdtvmmg.dll
O2 - BHO: (no name) - {236CE3CC-7DA7-55DF-21DB-08E751CD4318} - C:\WINDOWS\system32\oziachd.dll
O2 - BHO: (no name) - {27BA21A6-841C-D533-23B7-0B6891B428A0} - C:\WINDOWS\system32\wdtypq.dll
O2 - BHO: (no name) - {32985B31-D6B1-C430-F0A2-0464796560B5} - C:\WINDOWS\system32\qhnazte.dll
O2 - BHO: (no name) - {36C1988C-D6CF-9432-461C-0B873077378C} - C:\WINDOWS\system32\jxjralh.dll
O2 - BHO: (no name) - {3B585AAC-80FE-41DD-125F-059E06E8B7EC} - C:\WINDOWS\system32\yrynacj.dll
O2 - BHO: (no name) - {4630B19E-7D87-32C4-7B81-07E2B061D519} - C:\WINDOWS\system32\yrfkvun.dll
O2 - BHO: (no name) - {50B8EF84-D4F8-72FD-F005-09FDEF1034C7} - C:\WINDOWS\system32\qdjwten.dll
O2 - BHO: (no name) - {57B1B911-A210-1A85-1952-0656F3639E9F} - C:\WINDOWS\system32\wbobtal.dll
O2 - BHO: (no name) - {67CFFB07-2166-4D31-9CE3-BD281982539F} - C:\WINDOWS\system32\pmkhg.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: (no name) - {B7672BAF-E9A3-49B6-86B2-C81719A18A4C} - C:\WINDOWS\system32\aaephdhc.dll
O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\system32\winvbie.dll (file missing)
O2 - BHO: (no name) - {D3B3C51E-8D11-4667-85B9-0930F519BED7} - C:\WINDOWS\system32\vtuurrr.dll
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C66 Series on judi] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P36 "Auto EPSON Stylus C66 Series on judi" /O12 "\\JUDI\Epson" /M "Stylus C66"
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133585381\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ixfivgg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ixfivgg.dll,fivplce
O4 - HKLM\..\Run: [aduoswl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\aduoswl.dll,iihnsh
O4 - HKLM\..\Run: [llcljnl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\llcljnl.dll,gnhurwd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [asxgtee.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\asxgtee.dll,vjyuxvd
O4 - HKLM\..\Run: [vrpjlwl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vrpjlwl.dll,cjhiytd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gjzcygd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gjzcygd.dll,vvjante
O4 - HKLM\..\Run: [zqxdreb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zqxdreb.dll,wviaqgb
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1133585381\ee\SSCRun.exe
O4 - HKLM\..\Run: [ghyklvm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ghyklvm.dll,zmtsglb
O4 - HKLM\..\Run: [gipvamn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gipvamn.dll,mmkwvrd
O4 - HKCU\..\Run: [\\judi\EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P30 "\\judi\EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/1,0,1,0/McUpdatePortal.cab
O20 - Winlogon Notify: awtsqpn - awtsqpn.dll (file missing)
O20 - Winlogon Notify: nnnmkhf - nnnmkhf.dll (file missing)
O20 - Winlogon Notify: pmkhg - C:\WINDOWS\system32\pmkhg.dll
O20 - Winlogon Notify: vtuurrr - C:\WINDOWS\SYSTEM32\vtuurrr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: incestuously - {03413bf7-e34c-445b-bfc0-a2b127255871} - (no file)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\aolavupd.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
Smiley!RU is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 10-01-2006, 05:08 PM   #2 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


Hello Smiley!RU, and welcome to TSF.


I am currently reviewing your log. Please note that this is under the supervision of an expert analyst,
and I will be back with a fix for your problem as soon as possible.

You may wish to Subscribe to this thread (Thread Tools) so that you are notified when you receive a reply.

Please be patient with me during this time.
fredmh is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 10-02-2006, 12:34 PM   #3 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


Please subscribe to this thread to get immediate notification of replies as soon as they are posted. To do this click Thread Tools,
then click Subscribe to this Thread. Make sure it is set to Instant Notification, then click Subscribe.


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

The fixes we will use are specific to your problems and should only be used for this issue on this machine.

Please only use this topic to reply to. Do not start another thread.
If any other issues arise let me know.

The process is not instant. Please continue to review my answers until I tell you your machine is clear.
Absence of symptoms does not mean that everything is clear. So lets do this to the endPlease make every effort to reply to my posts in a timely manner.

Malware breeds malware and the longer an infection remains on a system, the more
likely additional infections will result.!

----------------------------------------

This system is very badly infected. Stick with me and we'll get it clean

----------------------------------------

P2P INSTALLED

I see you have P2P software (i.e. Bear Share) installed on your machine. We are not here to pass judgment on file-sharing
as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you
more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

----------------------------------------

DOWNLOADS


ComboFix


1. Download this file - You MUST save it to your desktop

http://download.bleepingcomputer.com/sUBs/combofix.exe

or

http://www.techsupportforum.com/sectools/combofix.exe


SmitFraud


Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

IMPORTANT: Do NOT run option #2 OR any other option until you are directed to do so!

----------------------------------------

Please disconnect your system from the internet

----------------------------------------

ComboFix





2. 2. Go to <<Start>> then <<Run>> then paste in the single line command then click OK

"%userprofile%\desktop\combofix.exe" /v pmkhg aaephdhc vtuurrr bdtvmmg oziachd wdtypq qhnazte jxjralh yrynacj yrfkvun qdjwten wbobtal
ixfivgg aduoswl llcljnl asxgtee vrpjlwl gjzcygd zqxdreb ghyklvm gipvamn winvbie


3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------


SAFE MODE RE-BOOT

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list).
In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

----------------------------------------

FIXES AND DELETIONS




SmitFraud - OPTION 2


Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : " Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question " Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: (C:rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

----------------------------------------

SECURE DESKTOP


Next go to Control Panel click Display>Desktop>Customize Desktop>Web> Now, Uncheck Everything and delete if present:

  • "Security Info"
  • "Warning Message"
  • "Security Desktop"
  • "Warning Homepage"
  • "Desktop Uninstall"


Also make sure the 'Lock desktop items' box is unticked. Click OK, and then Click Apply, then OK.

----------------------------------------
SYSTEM RE-BOOT

Reboot into Normal Mode.

----------------------------------------

SmitFraud - OPTION 3

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.



Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford.
For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

----------------------------------------

ComboFix - 2nd Run


2. Double click combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

----------------------------------------

Please re-establish your internet connnection

----------------------------------------

ON-LINE SCANS


Perform an online scan with Internet Explorer with Panda ActiveScan

Click on the "Free To Use ActiveScan" located on the top right hand corner
  1. Click Check Now and a "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  2. Enter your e-mail address, country, and state & click Scan Now * The download of the 8 MB Panda's ActiveX control will take place *

Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on See report then click Save report

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

----------------------------------------

FOLLOW-UP

Please return and post these items:

c:rapport.txt from SmitFraud tool
ComboFix.txt
ComboFix2.txt
Panda scan
A new HJT log run in Normal Mode

Please note: In order to properly see what is on your system, all HJT logs must be run in the normal mode
fredmh is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 10-02-2006, 06:24 PM   #4 (permalink)
Registered User
 
Join Date: Sep 2006
Posts: 5
OS: xp `


Next posting
Thank you so much!!!! I think I followed all the directions. So here's hoping.
Lauri Friedman - 06-10-02 19:24:36.25 Service Pack 2

Combofix #1

ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Lauri Friedman\desktop"
Command switches used :: /v pmkhg aaephdhc vtuurrr bdtvmmg oziachd wdtypq qhnazte jxjralh yrynacj yrfkvun qdjwten wbobtal

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\pmkhg.dll
C:\WINDOWS\system32\aaephdhc.dll
C:\WINDOWS\system32\bdtvmmg.dll
C:\WINDOWS\system32\oziachd.dll
C:\WINDOWS\system32\wdtypq.dll
C:\WINDOWS\system32\qhnazte.dll
C:\WINDOWS\system32\jxjralh.dll
C:\WINDOWS\system32\yrynacj.dll
C:\WINDOWS\system32\yrfkvun.dll
C:\WINDOWS\system32\qdjwten.dll
C:\WINDOWS\system32\wbobtal.dll
C:\WINDOWS\system32\ghkmp.bak1
C:\WINDOWS\system32\ghkmp.bak2
C:\WINDOWS\system32\ghkmp.ini
C:\WINDOWS\system32\ghkmp.ini2
C:\WINDOWS\system32\ghkmp.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ismini.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\issearch.exe
C:\Program Files\outlook
C:\WINDOWS\system32\components
C:\Program Files\Common Files\{3CA55C44-08CD-1033-0913-020403020001}
C:\Program Files\Common Files\{3CA55C44-08CE-1033-0913-020403020001}


((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


2006-10-01 18:39 23,296 --a------ C:\WINDOWS\system32\drivers\NaiFiltr.sys
2006-10-01 17:37 94,208 --a------ C:\WINDOWS\system32\sckojod.dll
2006-10-01 17:37 72,704 --a------ C:\WINDOWS\system32\xixoodd.dll
2006-09-30 15:07 94,208 --a------ C:\WINDOWS\system32\gipvamn.dll
2006-09-30 07:42 93,696 --a------ C:\WINDOWS\system32\ghyklvm.dll
2006-09-30 07:29 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2006-09-28 13:01 93,696 --a------ C:\WINDOWS\system32\zqxdreb.dll
2006-09-28 11:10 94,208 --a------ C:\WINDOWS\system32\gjzcygd.dll
2006-09-28 09:59 45,525 --a------ C:\WINDOWS\system32\fumsjwle.dll
2006-09-28 09:59 143,380 --a------ C:\WINDOWS\system32\ykjoujdv.exe
2006-09-28 09:10 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-28 09:08 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-28 09:08 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-28 09:04 93,696 --a------ C:\WINDOWS\system32\vrpjlwl.dll
2006-09-27 21:59 94,208 --a------ C:\WINDOWS\system32\asxgtee.dll
2006-09-27 09:18 93,696 --a------ C:\WINDOWS\system32\llcljnl.dll
2006-09-27 09:18 37,189 ---hs---- C:\WINDOWS\system32\fccbxvt.dll
2006-09-26 20:43 93,696 --a------ C:\WINDOWS\system32\aduoswl.dll
2006-09-26 15:40 4 --a------ C:\WINDOWS\system32\micro.dll
2006-09-26 15:07 4 --a------ C:\WINDOWS\system32\mjcrost.dll
2006-09-26 14:15 45,525 --a------ C:\WINDOWS\system32\tqoomify.dll
2006-09-26 14:15 143,380 --a------ C:\WINDOWS\system32\uxrwqlob.exe
2006-09-26 14:01 93,696 --a------ C:\WINDOWS\system32\ixfivgg.dll
2006-09-26 12:30 4 --a------ C:\WINDOWS\system32\mlcrs0ft.dll
2006-09-26 12:28 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-26 12:28 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-26 12:28 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-26 12:28 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-26 12:28 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-26 12:28 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-18 13:11 778,240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 13:11 778,240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 13:11 761,856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 13:11 620,180 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-17 22:49 163,599 --a------ C:\WINDOWS\psuninst2.exe
2006-09-17 22:09 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2006-09-17 22:09 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2006-09-14 23:55 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-09-14 19:16 32,304 --a------ C:\WINDOWS\system32\drivers\atwpkt264.sys
2006-09-14 19:16 25,136 --a------ C:\WINDOWS\system32\drivers\atwpkt2.sys
2006-09-14 19:16 103,984 --a------ C:\WINDOWS\system32\AOLDial.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 19:25 -------- d-------- C:\Program Files\Common Files
2006-10-01 18:39 -------- d-------- C:\Program Files\mcafee.com
2006-10-01 15:02 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\AOL
2006-09-30 07:36 -------- d-------- C:\Program Files\AOL
2006-09-30 07:32 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-28 11:02 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-28 11:01 -------- d-------- C:\Program Files\Symantec
2006-09-28 11:01 -------- d-------- C:\Program Files\Norton SystemWorks
2006-09-27 20:05 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-26 15:46 -------- d-------- C:\Program Files\DVD Shrink
2006-09-26 15:07 -------- d-------- C:\Program Files\Ultimate Cleaner
2006-09-26 14:23 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\SearchToolbarCorp
2006-09-26 14:15 -------- d-------- C:\Program Files\VSToolbar
2006-09-26 12:30 -------- d-------- C:\Program Files\Super DVD Copy
2006-09-26 12:03 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-26 11:20 -------- d-------- C:\Program Files\DivX
2006-09-23 12:13 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\acccore
2006-09-20 15:26 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\AdobeUM
2006-09-20 15:24 -------- d-------- C:\Program Files\Fish Aquarium 3D Screensaver
2006-09-17 22:13 -------- d---s---- C:\Documents and Settings\Lauri Friedman\Application Data\Microsoft
2006-09-17 22:10 2508 --a------ C:\Documents and Settings\Lauri Friedman\Application Data\$_hpcst$.hpc
2006-09-17 22:08 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-13 20:21 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-08 01:33 -------- d-------- C:\Program Files\BearShare
2006-09-05 19:53 -------- d-------- C:\Program Files\America Online 9.0
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-14 11:07 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-11 23:30 -------- d-------- C:\Program Files\Internet Explorer
2006-08-11 12:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-08-11 12:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 12:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-08-11 12:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-08-11 12:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 12:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 12:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-08-11 12:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 12:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-08-11 12:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-08-11 12:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-08-11 12:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-11 12:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 12:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\judi\\EPSON Stylus C66 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2S1.EXE /P30 \"\\\\judi\\EPSON Stylus C66 Series\" /M \"Stylus C66\" /EF \"HKCU\""
"H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~3\\wcescomm.exe\""
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"AOL Fast Start"="\"C:\\PROGRA~1\\AMERIC~1.0\\AOL.EXE\" -b"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"OASClnt"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
"EmailScan"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
"Auto EPSON Stylus C66 Series on judi"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2S1.EXE /P36 \"Auto EPSON Stylus C66 Series on judi\" /O12 \"\\\\JUDI\\Epson\" /M \"Stylus C66\""
"MPFExe"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\AOLSoftware.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ixfivgg.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ixfivgg.dll,fivplce"
"aduoswl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\aduoswl.dll,iihnsh"
"llcljnl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\llcljnl.dll,gnhurwd"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe"
"asxgtee.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\asxgtee.dll,vjyuxvd"
"vrpjlwl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\vrpjlwl.dll,cjhiytd"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"gjzcygd.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\gjzcygd.dll,vvjante"
"zqxdreb.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zqxdreb.dll,wviaqgb"
"AOLSPScheduler"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\services\\safetyCore\\ver2_5_4_1\\AOLSP Scheduler.exe"
"sscRun"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\SSCRun.exe"
"ghyklvm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ghyklvm.dll,zmtsglb"
"gipvamn.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\gipvamn.dll,mmkwvrd"
"sckojod.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\sckojod.dll,xuqdex"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="about:Home"
"SubscribedURL"="about:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,58,02,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,ff,ff,00,00,ff,ff,00,00,ff,ff,ff,ff,ff,ff,\
ff,ff,04,00,00,00
"RestoredStateInfo"=hex:18,00,00,00,6a,02,00,00,23,00,00,00,a4,00,00,00,9a,00,\
00,00,01,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoDriveAutoRun"=hex:ff,ff,ff,03

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000001
"BackupNoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"incestuously"="{03413bf7-e34c-445b-bfc0-a2b127255871}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ANIWZCS2Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WZCSLDR2"
"hkey"="HKLM"
"command"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AOL Fast Start]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOL"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\AMERIC~1.0\\AOL.EXE\" -b"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AOLSPScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\services\\sscAntiSpywarePlugin\\ver1_10_3_1\\AOLSP Scheduler.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EPSON Stylus C66 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I2S1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2S1.EXE /P23 \"EPSON Stylus C66 Series\" /O5 \"LPT1:\" /M \"Stylus C66\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sscRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SSCRun"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\services\\sscFirewallPlugin\\ver1_10_3_1\\SSCRun.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsqpn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmkhf

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (LAURI-Lauri Friedman).job

Completion time: Mon 10/02/2006 19:27:16.37
ComboFix.txt

Rapport

SmitFraudFix v2.104

Scan done at 19:38:23.34, Mon 10/02/2006
Run from C:\Documents and Settings\Lauri Friedman\Desktop\SmitfraudFix\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\Documents and Settings\Lauri Friedman\Application Data\Microsoft\Internet Explorer\Quick Launch\SpyQuake2.com 2.3.lnk Deleted
C:\DOCUME~1\LAURIF~1\FAVORI~1\Antivirus Test Online.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Combo Fix #2

Lauri Friedman - 06-10-02 19:48:50.87 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Lauri Friedman\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2006-09-02 to 2006-10-02 ))))))))))))))))))))))))))))))))))


2006-10-02 19:35 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-10-02 19:35 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-10-02 19:35 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-10-02 19:35 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2006-10-01 18:39 23,296 --a------ C:\WINDOWS\system32\drivers\NaiFiltr.sys
2006-10-01 17:37 94,208 --a------ C:\WINDOWS\system32\sckojod.dll
2006-10-01 17:37 72,704 --a------ C:\WINDOWS\system32\xixoodd.dll
2006-09-30 15:07 94,208 --a------ C:\WINDOWS\system32\gipvamn.dll
2006-09-30 07:42 93,696 --a------ C:\WINDOWS\system32\ghyklvm.dll
2006-09-30 07:29 82,432 --a------ C:\WINDOWS\system32\msxml4r.dll
2006-09-28 13:01 93,696 --a------ C:\WINDOWS\system32\zqxdreb.dll
2006-09-28 11:10 94,208 --a------ C:\WINDOWS\system32\gjzcygd.dll
2006-09-28 09:59 45,525 --a------ C:\WINDOWS\system32\fumsjwle.dll
2006-09-28 09:59 143,380 --a------ C:\WINDOWS\system32\ykjoujdv.exe
2006-09-28 09:10 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2006-09-28 09:08 48,816 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2006-09-28 09:08 109,744 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2006-09-28 09:04 93,696 --a------ C:\WINDOWS\system32\vrpjlwl.dll
2006-09-27 21:59 94,208 --a------ C:\WINDOWS\system32\asxgtee.dll
2006-09-27 09:18 93,696 --a------ C:\WINDOWS\system32\llcljnl.dll
2006-09-27 09:18 37,189 ---hs---- C:\WINDOWS\system32\fccbxvt.dll
2006-09-26 20:43 93,696 --a------ C:\WINDOWS\system32\aduoswl.dll
2006-09-26 15:40 4 --a------ C:\WINDOWS\system32\micro.dll
2006-09-26 15:07 4 --a------ C:\WINDOWS\system32\mjcrost.dll
2006-09-26 14:15 45,525 --a------ C:\WINDOWS\system32\tqoomify.dll
2006-09-26 14:15 143,380 --a------ C:\WINDOWS\system32\uxrwqlob.exe
2006-09-26 14:01 93,696 --a------ C:\WINDOWS\system32\ixfivgg.dll
2006-09-26 12:30 4 --a------ C:\WINDOWS\system32\mlcrs0ft.dll
2006-09-26 12:28 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2006-09-26 12:28 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2006-09-26 12:28 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2006-09-26 12:28 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2006-09-26 12:28 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2006-09-26 12:28 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2006-09-18 13:11 778,240 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2006-09-18 13:11 778,240 --a------ C:\WINDOWS\system32\divx_xx07.dll
2006-09-18 13:11 761,856 --a------ C:\WINDOWS\system32\divx_xx11.dll
2006-09-18 13:11 620,180 --a------ C:\WINDOWS\system32\DivX.dll
2006-09-17 22:49 163,599 --a------ C:\WINDOWS\psuninst2.exe
2006-09-17 22:09 30,592 --------- C:\WINDOWS\system32\drivers\rndismpx.sys
2006-09-17 22:09 12,800 --------- C:\WINDOWS\system32\drivers\usb8023x.sys
2006-09-14 23:55 306,688 --a------ C:\WINDOWS\IsUninst.exe
2006-09-14 19:16 32,304 --a------ C:\WINDOWS\system32\drivers\atwpkt264.sys
2006-09-14 19:16 25,136 --a------ C:\WINDOWS\system32\drivers\atwpkt2.sys
2006-09-14 19:16 103,984 --a------ C:\WINDOWS\system32\AOLDial.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-02 19:25 -------- d-------- C:\Program Files\Common Files
2006-10-01 18:39 -------- d-------- C:\Program Files\mcafee.com
2006-10-01 15:02 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\AOL
2006-09-30 07:36 -------- d-------- C:\Program Files\AOL
2006-09-30 07:32 -------- d-------- C:\Program Files\Common Files\AOL
2006-09-28 11:02 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-09-28 11:01 -------- d-------- C:\Program Files\Symantec
2006-09-28 11:01 -------- d-------- C:\Program Files\Norton SystemWorks
2006-09-27 20:05 -------- d-------- C:\Program Files\Common Files\Ahead
2006-09-26 15:46 -------- d-------- C:\Program Files\DVD Shrink
2006-09-26 15:07 -------- d-------- C:\Program Files\Ultimate Cleaner
2006-09-26 14:23 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\SearchToolbarCorp
2006-09-26 14:15 -------- d-------- C:\Program Files\VSToolbar
2006-09-26 12:30 -------- d-------- C:\Program Files\Super DVD Copy
2006-09-26 12:03 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-09-26 11:20 -------- d-------- C:\Program Files\DivX
2006-09-23 12:13 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\acccore
2006-09-20 15:26 -------- d-------- C:\Documents and Settings\Lauri Friedman\Application Data\AdobeUM
2006-09-20 15:24 -------- d-------- C:\Program Files\Fish Aquarium 3D Screensaver
2006-09-17 22:13 -------- d---s---- C:\Documents and Settings\Lauri Friedman\Application Data\Microsoft
2006-09-17 22:10 2508 --a------ C:\Documents and Settings\Lauri Friedman\Application Data\$_hpcst$.hpc
2006-09-17 22:08 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-09-13 20:21 -------- d-------- C:\Program Files\Common Files\ODBC
2006-09-08 01:33 -------- d-------- C:\Program Files\BearShare
2006-09-05 19:53 -------- d-------- C:\Program Files\America Online 9.0
2006-08-21 07:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 04:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-21 04:14 128896 --a------ C:\WINDOWS\system32\drivers\fltmgr.sys
2006-08-14 11:07 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-11 23:30 -------- d-------- C:\Program Files\Internet Explorer
2006-08-11 12:35 520192 --a------ C:\WINDOWS\system32\DivXsm.exe
2006-08-11 12:35 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2006-08-11 12:35 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2006-08-11 12:35 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2006-08-11 12:31 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2006-08-11 12:31 593920 --a------ C:\WINDOWS\system32\dpuGUI11.dll
2006-08-11 12:31 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2006-08-11 12:31 53248 --a------ C:\WINDOWS\system32\dpuGUI10.dll
2006-08-11 12:31 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2006-08-11 12:31 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2006-08-11 12:31 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2006-08-11 12:31 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2006-08-11 12:31 12288 --a------ C:\WINDOWS\system32\DivXWMPExtType.dll
2006-08-11 12:31 118784 --a------ C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2006-07-27 08:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-21 03:24 72704 --a------ C:\WINDOWS\system32\hlink.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"\\\\judi\\EPSON Stylus C66 Series"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2S1.EXE /P30 \"\\\\judi\\EPSON Stylus C66 Series\" /M \"Stylus C66\" /EF \"HKCU\""
"H/PC Connection Agent"="\"C:\\PROGRA~1\\MICROS~3\\wcescomm.exe\""
"updateMgr"="C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1"
"AOL Fast Start"="\"C:\\PROGRA~1\\AMERIC~1.0\\AOL.EXE\" -b"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"D-Link AirPlus G"="C:\\Program Files\\D-Link\\AirPlus G\\AirGCFG.exe"
"OASClnt"="C:\\Program Files\\mcafee.com\\antivirus\\oasclnt.exe"
"EmailScan"="C:\\Program Files\\mcafee.com\\antivirus\\mcvsescn.exe"
"Auto EPSON Stylus C66 Series on judi"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2S1.EXE /P36 \"Auto EPSON Stylus C66 Series on judi\" /O12 \"\\\\JUDI\\Epson\" /M \"Stylus C66\""
"MPFExe"="C:\\Program Files\\mcafee.com\\personal firewall\\MPfTray.exe"
"HostManager"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\AOLSoftware.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"ixfivgg.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ixfivgg.dll,fivplce"
"aduoswl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\aduoswl.dll,iihnsh"
"llcljnl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\llcljnl.dll,gnhurwd"
"NWEReboot"=""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe"
"asxgtee.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\asxgtee.dll,vjyuxvd"
"vrpjlwl.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\vrpjlwl.dll,cjhiytd"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"gjzcygd.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\gjzcygd.dll,vvjante"
"zqxdreb.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\zqxdreb.dll,wviaqgb"
"AOLSPScheduler"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\services\\safetyCore\\ver2_5_4_1\\AOLSP Scheduler.exe"
"sscRun"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\SSCRun.exe"
"ghyklvm.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\ghyklvm.dll,zmtsglb"
"gipvamn.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\gipvamn.dll,mmkwvrd"
"sckojod.dll"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\sckojod.dll,xuqdex"
"VSOCheckTask"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcmnhdlr.exe\" /checktask"
"VirusScan Online"="\"c:\\PROGRA~1\\mcafee.com\\vso\\mcvsshld.exe\""
"MCAgentExe"="c:\\PROGRA~1\\mcafee.com\\agent\\mcagent.exe"
"MCUpdateExe"="C:\\PROGRA~1\\mcafee.com\\agent\\McUpdate.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoDrives"=dword:00000000
"NoViewOnDrive"=dword:00000000
"NoDriveAutoRun"=hex:ff,ff,ff,03

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoCDBurning"=dword:00000001
"BackupNoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\run]

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office10\\OSA.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ANIWZCS2Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WZCSLDR2"
"hkey"="HKLM"
"command"="C:\\Program Files\\ANI\\ANIWZCS2 Service\\WZCSLDR2.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AOL Fast Start]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOL"
"hkey"="HKCU"
"command"="\"C:\\PROGRA~1\\AMERIC~1.0\\AOL.EXE\" -b"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AOLDialer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLDial"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\AOLSPScheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSP Scheduler"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\services\\sscAntiSpywarePlugin\\ver1_10_3_1\\AOLSP Scheduler.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\EPSON Stylus C66 Series]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="E_S4I2S1"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\spool\\DRIVERS\\W32X86\\3\\E_S4I2S1.EXE /P23 \"EPSON Stylus C66 Series\" /O5 \"LPT1:\" /M \"Stylus C66\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLSoftware"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\AOLSoftware.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\sscRun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SSCRun"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1133585381\\ee\\services\\sscFirewallPlugin\\ver1_10_3_1\\SSCRun.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtsqpn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmkhf

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\McAfee.com Update Check (LAURI-Lauri Friedman).job

Completion time: Mon 10/02/2006 19:49:28.48
ComboFix.txt
ComboFix2.txt


Panda

Incident Status Location

Adware:adware/commandertoolbar Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/ipbill Not disinfected Windows Registry
Potentially unwanted tool:application/zango Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{8FCDF9D9-A28B-480F-8C3D-581F119A8AB8}
Spyware:spyware/media-motor Not disinfected Windows Registry
Potentially unwanted tool:application/funweb Not disinfected HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@2o7[1].txt
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@ad.yieldmanager[1].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@as-us.falkag[1].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@atwola[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@belnk[1].txt
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@c.enhance[1].txt
Spyware:Cookie/Cgi-bin Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@cgi-bin[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@com[1].txt
Spyware:Cookie/did-it Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@did-it[1].txt
Spyware:Cookie/Belnk Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@dist.belnk[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@drivecleaner[2].txt
Spyware:Cookie/Malwarewipe Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@malwarewipe[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@microsoftwga.112.2o7[1].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@stats.drivecleaner[2].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@stats1.reliablestats[1].txt
Spyware:Cookie/Target Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@target[2].txt
Spyware:Cookie/DriveCleaner Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@www.drivecleaner[1].txt
Spyware:Cookie/Yadro Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@yadro[2].txt
Spyware:Cookie/Zedo Not disinfected C:\Documents and Settings\Lauri Friedman\Cookies\lauri friedman@zedo[2].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Lauri Friedman\Desktop\SmitfraudFix\SmitfraudFix\Process.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\fccbxvt.dll
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe Hijack this

Logfile of HijackThis v1.99.1
Scan saved at 8:24:06 PM, on 10/2/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\aolavupd.exe
C:\WINDOWS\system32\E_S00RP1.EXE
C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
C:\Program Files\Common Files\AOL\1133585381\ee\AOLSoftware.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\mcafee.com\personal firewall\MPFService.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\mcafee.com\vso\mcvsshld.exe
C:\PROGRA~1\mcafee.com\agent\mcagent.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE
C:\PROGRA~1\MICROS~3\wcescomm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\AMERIC~1.0\waol.exe
C:\WINDOWS\system32\SAgent4.exe
C:\Program Files\Common Files\AOL\1133585381\ee\aolsoftware.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\system32\WgaTray.exe
C:\WINDOWS\system32\devldr32.exe
C:\PROGRA~1\AMERIC~1.0\shellmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\AOL\1133585381\ee\SSCEvtHdlr.exe
C:\Documents and Settings\Lauri Friedman\Desktop\Hijack This\Smiley!RU.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://clienturls.aol.com/safety/us/main/tellmemore
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {44D21278-3586-87D8-CC58-0B815CF89524} - C:\WINDOWS\system32\xixoodd.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {a43385f0-7113-496d-96d7-b9b550e3fcca} - C:\WINDOWS\system32\ixt0.dll (file missing)
O2 - BHO: {92E1B3F7-0546-421E-9835-904D25B7BA66} - {C4F147D7-BF25-488E-A12B-EFD43E7029BF} - C:\WINDOWS\system32\winvbie.dll (file missing)
O4 - HKLM\..\Run: [D-Link AirPlus G] C:\Program Files\D-Link\AirPlus G\AirGCFG.exe
O4 - HKLM\..\Run: [OASClnt] C:\Program Files\mcafee.com\antivirus\oasclnt.exe
O4 - HKLM\..\Run: [EmailScan] C:\Program Files\mcafee.com\antivirus\mcvsescn.exe
O4 - HKLM\..\Run: [Auto EPSON Stylus C66 Series on judi] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P36 "Auto EPSON Stylus C66 Series on judi" /O12 "\\JUDI\Epson" /M "Stylus C66"
O4 - HKLM\..\Run: [MPFExe] C:\Program Files\mcafee.com\personal firewall\MPfTray.exe
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1133585381\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ixfivgg.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ixfivgg.dll,fivplce
O4 - HKLM\..\Run: [aduoswl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\aduoswl.dll,iihnsh
O4 - HKLM\..\Run: [llcljnl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\llcljnl.dll,gnhurwd
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [asxgtee.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\asxgtee.dll,vjyuxvd
O4 - HKLM\..\Run: [vrpjlwl.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\vrpjlwl.dll,cjhiytd
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [gjzcygd.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gjzcygd.dll,vvjante
O4 - HKLM\..\Run: [zqxdreb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\zqxdreb.dll,wviaqgb
O4 - HKLM\..\Run: [AOLSPScheduler] C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\AOLSP Scheduler.exe
O4 - HKLM\..\Run: [sscRun] C:\Program Files\Common Files\AOL\1133585381\ee\SSCRun.exe
O4 - HKLM\..\Run: [ghyklvm.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\ghyklvm.dll,zmtsglb
O4 - HKLM\..\Run: [gipvamn.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\gipvamn.dll,mmkwvrd
O4 - HKLM\..\Run: [sckojod.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\sckojod.dll,xuqdex
O4 - HKLM\..\Run: [VSOCheckTask] "c:\PROGRA~1\mcafee.com\vso\mcmnhdlr.exe" /checktask
O4 - HKLM\..\Run: [VirusScan Online] "c:\PROGRA~1\mcafee.com\vso\mcvsshld.exe"
O4 - HKLM\..\Run: [MCAgentExe] c:\PROGRA~1\mcafee.com\agent\mcagent.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\mcafee.com\agent\McUpdate.exe
O4 - HKCU\..\Run: [\\judi\EPSON Stylus C66 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S4I2S1.EXE /P30 "\\judi\EPSON Stylus C66 Series" /M "Stylus C66" /EF "HKCU"
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\PROGRA~1\MICROS~3\wcescomm.exe"
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [AOL Fast Start] "C:\PROGRA~1\AMERIC~1.0\AOL.EXE" -b
O8 - Extra context menu item: &AOL Toolbar search - res://C:\Program Files\AOL Toolbar\toolbar.dll/SEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4ED9DDF0-7479-4BBE-9335-5A1EDB1D8A21} (McAfee.com Operating System Class) - https://objects.aol.com/mcafee/molbin/shared/mcinsctl/en-us/4,0,0,83/mcinsctl.cab
O16 - DPF: {5F0C30E4-1E72-4DCC-85E5-57810F1CA97B} (McUpdatePortalFactory Class) - http://amiuptodate.mcafee.com/vsc/bin/1,0,1,0/McUpdatePortal.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BCC0FF27-31D9-4614-A68E-C18E1ADA4389} (DwnldGroupMgr Class) - https://objects.aol.com/mcafee/molbin/shared/mcgdmgr/en-us/1,0,0,20/McGDMgr.cab
O20 - Winlogon Notify: awtsqpn - awtsqpn.dll (file missing)
O20 - Winlogon Notify: nnnmkhf - nnnmkhf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: AOL Antivirus Update Service (aolavupd) - AOL LLC - C:\Program Files\Common Files\AOL\1133585381\ee\services\safetyCore\ver2_5_4_1\aolavupd.exe
O23 - Service: EPSON V3 Service2(03) (EPSON_PM_RPCV2_01) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\E_S00RP1.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: McAfee McShield (McShield) - McAfee Inc. - C:\PROGRA~1\mcafee.com\ANTIVI~1\mcshield.exe
O23 - Service: McAfee SecurityCenter Update Manager (mcupdmgr.exe) - Networks Associates Technology, Inc - C:\PROGRA~1\McAfee.com\Agent\mcupdmgr.exe
O23 - Service: McAfee.com VirusScan Online Realtime Engine (MCVSRte) - Networks Associates Technology, Inc - c:\PROGRA~1\mcafee.com\vso\mcvsrte.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee Corporation - C:\Program Files\mcafee.com\personal firewall\MPFService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Epson Printer Status Agent4 (StatusAgent4) - SEIKO EPSON CORPORATION - C:\WINDOWS\system32\SAgent4.exe
Smiley!RU is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Reply With Quote
Old 10-03-2006, 07:32 PM   #5 (permalink)
Analyst, Security Team ; TSF Supporter
 
fredmh's Avatar
 
Join Date: May 2006
Location: Phila,Pa
Posts: 2,335
OS: XP


Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding.
Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this
webpage would not be available when you're carrying out the fix.


IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

----------------------------------------

We got rid of some junk, but there's a lot remaining

----------------------------------------

DOWNLOADS


AVG Anti-Spyware 7.5

Please download AVG Anti-Spyware 7.5
  1. Install AVG Anti-Spyware 7.5.
  2. Double-click the icon on Desktop to launch AVG A-S 7.5
  3. On the top of the main screen click Shield
  4. Click the word active to change it to inactive
  5. On the top of the main screen click Update.
  6. Then click on Start Update. The update will start and a progress bar will show the upda