Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 




Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > HijackThis Log Help > Resolved HJT Threads
ToolBar 888 please help ToolBar 888 please help
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read

Resolved HJT Threads Resolved spyware and popup issues.

 
Page 1 of 5 1 234 > Last »
 
Thread Tools
Old 04-14-2007, 03:50 AM   #1 (permalink)
Registered User
 
Join Date: Jan 2005
Location: Australia
Posts: 115
OS: XP


ToolBar 888 please help
Logfile of HijackThis v1.99.1
Scan saved at 7:32:51 PM, on 14/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Common Files\{BC7F2F42-0C81-3081-0123-06040513003d}\Update.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HJT\filo.exe.exe
C:\Program Files\Mozilla Firefox\firefox.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\system32\sodxrwgl.dll (file missing)
O2 - BHO: (no name) - {A2A61D92-555E-4E4D-A877-DE105D95AB90} - C:\WINDOWS\system32\tuvwwuu.dll
O2 - BHO: (no name) - {A2C813E5-6B72-46E7-B4BB-5485189B66A0} - C:\WINDOWS\system32\pmcnwabd.dll
O2 - BHO: (no name) - {AF6A3594-6F0E-4117-9803-2D512AE3777F} - C:\WINDOWS\system32\pmnno.dll (file missing)
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d}\Bar888.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O2 - BHO: (no name) - {F24EC7B4-A76B-4AC5-8FB8-F291A1E33B23} - C:\WINDOWS\system32\mljge.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d}\Bar888.dll
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: mljge - C:\WINDOWS\system32\mljge.dll
O20 - Winlogon Notify: tuvwwuu - C:\WINDOWS\SYSTEM32\tuvwwuu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
pearcedg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-14-2007, 05:40 AM   #2 (permalink)
Registered User
 
Join Date: Jan 2005
Location: Australia
Posts: 115
OS: XP


Re: ToolBar 888 please help
I did get rid of everything but all came back when son opened up MSN again. This seams to be where the issue is coming from. Update of log as I may have changed some things.

Logfile of HijackThis v1.99.1
Scan saved at 9:35:33 PM, on 14/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\Common Files\{BC7F2F42-0C81-3081-0123-06040513003d}\Update.exe
C:\Program Files\XoftSpy\XoftSpy.exe
C:\Program Files\HJT\filo.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {78FC2CDD-1355-4F80-AD4A-96FF5577EEEE} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d}\Bar888.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d}\Bar888.dll
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [VrProxyc] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
O4 - HKLM\..\Run: [VrProxyd] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
O4 - HKLM\..\Run: [VrBootScan] C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\wjraeegh.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: hggeecd - C:\WINDOWS\SYSTEM32\hggeecd.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000904 (file missing)
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
pearcedg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-14-2007, 10:05 PM   #3 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: ToolBar 888 please help
Hi pearcedg,

Welcome to Tech Support Forum!

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

OK, here’s what we do first.

Please download VundoFix.exe by Atribune and save it to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click YES, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HijackThis log.

NOTE: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot. Run VundoFix and scan for Vundo as many times as necessary until VundoFix says "No infected files were found".


NEXT:

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

Please download SDFix by AndyManchesta and save it to your desktop.

Double-click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix).

Please then reboot your computer into Safe Mode by doing the following:
  • Restart your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, tap the F8 key continually.
  • Instead of Windows loading as normal, a menu with options should appear.
  • Select the first option, to run Windows in "Safe Mode", then press "Enter".
  • Choose your usual account.


Once in Safe Mode, please do the following:
  • Open the extracted folder and double-click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services or Registry Entries found, then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process, then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load, the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).
  • Finally, copy and paste the contents of the results file Report.txt back onto the forum along with a new HijackThis log.


NEXT:

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {78FC2CDD-1355-4F80-AD4A-96FF5577EEEE} - C:\WINDOWS\system32\jkhfc.dll
O2 - BHO: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d}\Bar888.dll
O3 - Toolbar: Bar888 - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d}\Bar888.dll
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\wjraeegh.dll",setvm
O20 - Winlogon Notify: hggeecd - C:\WINDOWS\SYSTEM32\hggeecd.dll
O20 - Winlogon Notify: jkhfc - C:\WINDOWS\system32\jkhfc.dll
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000904 (file missing)


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

Please go to Start -> Run and type (or copy and paste) the following lines in the Open field, ONE AT A TIME, then click OK:

sc stop "Client IP-IPX"

sc delete "Client IP-IPX"


NEXT:

Please download OTMoveIt by OldTimer:
  • Save it to your desktop.
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

    C:\WINDOWS\system32\jkhfc.dll
    C:\WINDOWS\system32\wjraeegh.dll
    C:\WINDOWS\SYSTEM32\hggeecd.dll
    C:\WINDOWS\system32\jkhfc.dll
    C:\WINDOWS\system32\svchosts.exe
    C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d}
    C:\Program Files\Common Files\{BC7F2F42-0C81-3081-0123-06040513003d}

  • Return to OTMoveIt, right-click on the Paste List of Files/Folders to be Moved window and choose Paste.
  • Click the red MoveIt! button.
  • Copy everything in the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it in your next reply.
  • Close OTMoveIt.

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. After reboot, please run OTMoveIt again, follow the directions as above, and post the Results report for me to see.


NEXT:

Please download ComboFix by sUBs:

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.
  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


NEXT:

Please REBOOT your computer normally into Windows and post these logs in your next reply:
  1. The log from the VundoFix scan.
  2. The log from the SDFix scan.
  3. The results report from OTMoveIt.
  4. The log from the ComboFix scan.
  5. A new HijackThis log.

How are things running now? Please let me know of any problems that still persist.
__________________

Keep this forum alive - if you've been helped at this forum, please do consider a donation. Thank you for your support.

Donation link for Tech Support Forum
Sempurna is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-15-2007, 12:25 AM   #4 (permalink)
Registered User
 
Join Date: Jan 2005
Location: Australia
Posts: 115
OS: XP


Re: ToolBar 888 please help
Followed all instructions OTmoveIT run 5 times but all times said had to reboot unsure of this. Looks like Hijack this did not remove things also. Getting IE pop ups and dont even use IE always run Mozilla Firefox


Well here are requests any way.

Logfile of HijackThis v1.99.1
Scan saved at 4:20:38 PM, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\HJT\filo.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.altavista.com/
O2 - BHO: Farstone Url Blocker - {316AEF8D-3C37-423E-9E6E-13820A9DC37A} - C:\PROGRA~1\PCSECU~1\THESHI~1\IrlOnIE.dll
O2 - BHO: SpywareGuardDLBLOCK.CBrowserHelper - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {6079AE10-18D6-404A-BA70-D9E2E72AA638} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {7D0C53B8-464E-4B24-96ED-E46C17EE610A} - C:\WINDOWS\system32\awtqo.dll
O2 - BHO: (no name) - {A2A61D92-555E-4E4D-A877-DE105D95AB90} - C:\WINDOWS\system32\hggeecd.dll
O2 - BHO: Farstone Popup Blocker - {E22F9B9D-1A1F-473E-BED6-D8BC152441F4} - C:\PROGRA~1\PCSECU~1\THESHI~1\FARPOP~1.DLL
O4 - HKLM\..\Run: [VrSchedule] C:\Program Files\PCSecurityShield\ShieldAntivirus\Vrres.exe
O4 - HKLM\..\Run: [dwStart] C:\Program Files\PCSecurityShield\The Shield Firewall\FireWall.exe
O4 - HKLM\..\Run: [VrProxyc] "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyc.exe"
O4 - HKLM\..\Run: [VrProxyd] "C:\Program Files\PCSecurityShield\ShieldAntivirus\vrproxyd.exe"
O4 - HKLM\..\Run: [VrBootScan] "C:\Program Files\PCSecurityShield\ShieldAntivirus\VRBScan.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Vrmon] C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonnt.exe Main
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\mthrqcpw.dll",setvm
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {9D190AE6-C81E-4039-8061-978EBAD10073} (F-Secure Online Scanner 3.0) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {B1826A9F-4AA0-4510-BA77-9013E74E4B9B} - http://www.trendmicro.com/spyware-scan/as4web.cab
O17 - HKLM\System\CS1\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CS2\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O17 - HKLM\System\CCS\Services\VxD\MSTCP: SearchList = qld.bigpond.net.au
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: awvtq - C:\WINDOWS\system32\awvtq.dll (file missing)
O20 - Winlogon Notify: hggeecd - C:\WINDOWS\SYSTEM32\hggeecd.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ViRobot Expert Monitoring (vrmonsvc) - HAURI - C:\Program Files\PCSecurityShield\ShieldAntivirus\vrmonsvc.exe

File/Folder C:\WINDOWS\system32\jkhfc.dll not found.
File/Folder C:\WINDOWS\system32\wjraeegh.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\SYSTEM32\hggeecd.dll
C:\WINDOWS\SYSTEM32\hggeecd.dll NOT unregistered.
File move failed. C:\WINDOWS\SYSTEM32\hggeecd.dll scheduled to be moved on reboot.
File/Folder C:\WINDOWS\system32\jkhfc.dll not found.
File/Folder C:\WINDOWS\system32\svchosts.exe not found.
File/Folder C:\PROGRA~1\COMMON~1\{3C7F2F42-0C81-3081-0123-06040513003d} not found.
File/Folder C:\Program Files\Common Files\{BC7F2F42-0C81-3081-0123-06040513003d} not found.

Created on 04-15-2007 15:53:15

"HP_Owner" - 07-04-15 15:54:41 Service Pack 2
ComboFix 07-04-05.Rev3 - Running from: "C:\Documents and Settings\HP_Owner\Desktop"


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


"C:\WINDOWS\system32\awvtq.dll"


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\Yazzle1122OinAdmin.exe
C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe
C:\WINDOWS\DOWNLO~1.\rave\avirexe.vdm
C:\WINDOWS\DOWNLO~1.\rave\avirscr.vdm
C:\WINDOWS\DOWNLO~1.\rave\base.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdm
C:\WINDOWS\DOWNLO~1.\rave\daily.vdt
C:\WINDOWS\DOWNLO~1.\rave\filters.vdm
C:\WINDOWS\DOWNLO~1.\rave\kernel.vdk
C:\WINDOWS\DOWNLO~1.\rave\keyring.vdk
C:\WINDOWS\DOWNLO~1.\rave\mapi_vdm.vdm
C:\WINDOWS\DOWNLO~1.\rave\modules.vdk
C:\WINDOWS\DOWNLO~1.\rave\rav8def.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufs.vdm
C:\WINDOWS\DOWNLO~1.\rave\rufsplg.vdm
C:\WINDOWS\DOWNLO~1.\rave\unarch.vdm
C:\WINDOWS\DOWNLO~1.\rave\unmail.vdm
C:\WINDOWS\DOWNLO~1.\rave\unpack.vdm
C:\Program Files\install.log
C:\WINDOWS\system32\jkkjh.dll
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\sstqp.dll
C:\Program Files\inetget2
C:\WINDOWS\DOWNLO~1.\rave
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\HP_Owner
C:\qoobox\purity\DOCUME~1\HP_Owner\APPLIC~1
C:\qoobox\purity\DOCUME~1\HP_Owner\APPLIC~1\from.txt


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\Client IP-IPX
-------\LEGACY_CLIENT_IP-IPX


((((((((((((((((((((((((((((((( Files Created from 2007-03-15 to 2007-04-15 ))))))))))))))))))))))))))))))))))


2007-04-17 02:53 26,694 --a------ C:\WINDOWS\system32\ljjgdeb.dll
2007-04-17 01:33 26,694 --a------ C:\WINDOWS\system32\khfeede.dll
2007-04-17 00:28 26,694 --a------ C:\WINDOWS\system32\hggddca.dll
2007-04-17 00:27 <DIR> d-------- C:\WINDOWS\??crosoft.NET
2007-04-17 00:20 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft.NET
2007-04-17 00:18 <DIR> d-------- C:\WINDOWS\system32\?ystem32
2007-04-17 00:13 <DIR> d-------- C:\WINDOWS\system32\?ymbols
2007-04-17 00:13 <DIR> d-------- C:\WINDOWS\system32\?icrosoft.NET
2007-04-17 00:13 <DIR> d-------- C:\WINDOWS\system32\??pPatch
2007-04-17 00:12 <DIR> d-------- C:\WINDOWS\system32\??sembly
2007-04-17 00:11 <DIR> d-------- C:\Program Files\Common Files\??sks
2007-04-17 00:11 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ystem
2007-04-17 00:10 <DIR> d-------- C:\WINDOWS\system32\??crosoft.NET
2007-04-17 00:10 <DIR> d-------- C:\WINDOWS\s?curity
2007-04-17 00:10 <DIR> d-------- C:\Program Files\Common Files\M?crosoft.NET
2007-04-17 00:10 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\M?crosoft.NET
2007-04-17 00:10 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??sks
2007-04-17 00:09 <DIR> d-------- C:\Program Files\?ppPatch
2007-04-17 00:08 <DIR> d-------- C:\WINDOWS\system32\s?stem32
2007-04-17 00:08 <DIR> d-------- C:\WINDOWS\system32\??crosoft
2007-04-17 00:08 <DIR> d-------- C:\WINDOWS\?racle
2007-04-17 00:08 <DIR> d-------- C:\Program Files\?ystem32
2007-04-17 00:07 <DIR> d-------- C:\WINDOWS\??crosoft.NET
2007-04-17 00:07 <DIR> d-------- C:\WINDOWS\??crosoft
2007-04-17 00:07 <DIR> d-------- C:\Program Files\Common Files\?ssembly
2007-04-17 00:07 <DIR> d-------- C:\Program Files\Common Files\?ecurity
2007-04-17 00:07 <DIR> d-------- C:\Program Files\Common Files\?asks
2007-04-17 00:07 <DIR> d-------- C:\Program Files\??pPatch
2007-04-17 00:07 <DIR> d-------- C:\Program Files\??crosoft.NET
2007-04-17 00:07 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ppPatch
2007-04-17 00:07 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft
2007-04-17 00:07 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??mantec
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\T?sks
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\system32\s?stem
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\system32\?ssembly
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\system32\?ppPatch
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\system32\??stem32
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\system32\??sks
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\system32\??crosoft
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\s?stem
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\?icrosoft.NET
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\?icrosoft
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\??stem32
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\??sks
2007-04-17 00:06 <DIR> d-------- C:\WINDOWS\??crosoft
2007-04-17 00:06 <DIR> d-------- C:\Program Files\F?nts
2007-04-17 00:06 <DIR> d-------- C:\Program Files\?icrosoft
2007-04-17 00:06 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??sks
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\system32\a?sembly
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\S?mantec
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\M?crosoft
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\a?sembly
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\?ystem32
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\?ppPatch
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\?icrosoft
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\??stem
2007-04-17 00:05 <DIR> d-------- C:\WINDOWS\??pPatch
2007-04-17 00:05 <DIR> d-------- C:\Program Files\M?crosoft.NET
2007-04-17 00:05 <DIR> d-------- C:\Program Files\Common Files\s?stem
2007-04-17 00:05 <DIR> d-------- C:\Program Files\Common Files\S?mantec
2007-04-17 00:05 <DIR> d-------- C:\Program Files\Common Files\?icrosoft
2007-04-17 00:05 <DIR> d-------- C:\Program Files\Common Files\?icrosoft
2007-04-17 00:05 <DIR> d-------- C:\Program Files\Common Files\??pPatch
2007-04-17 00:05 <DIR> d-------- C:\Program Files\Common Files\??curity
2007-04-17 00:05 <DIR> d-------- C:\Program Files\?ystem
2007-04-17 00:05 <DIR> d-------- C:\Program Files\?asks
2007-04-17 00:05 <DIR> d-------- C:\Program Files\??sks
2007-04-17 00:05 <DIR> d-------- C:\Program Files\??pPatch
2007-04-17 00:05 <DIR> d-------- C:\Program Files\??crosoft
2007-04-17 00:05 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\s?stem
2007-04-17 00:05 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ymbols
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\W?nSxS
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\system32\?icrosoft.NET
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\system32\?asks
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\system32\??pPatch
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\system32\??mbols
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\system32\??crosoft.NET
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\?ssembly
2007-04-17 00:04 <DIR> d-------- C:\WINDOWS\?dobe
2007-04-17 00:04 <DIR> d-------- C:\Program Files\s?mbols
2007-04-17 00:04 <DIR> d-------- C:\Program Files\Common Files\s?stem32
2007-04-17 00:04 <DIR> d-------- C:\Program Files\Common Files\s?curity
2007-04-17 00:04 <DIR> d-------- C:\Program Files\Common Files\?asks
2007-04-17 00:04 <DIR> d-------- C:\Program Files\Common Files\??stem32
2007-04-17 00:04 <DIR> d-------- C:\Program Files\Common Files\??sembly
2007-04-17 00:04 <DIR> d-------- C:\Program Files\Common Files\??crosoft.NET
2007-04-17 00:04 <DIR> d-------- C:\Program Files\Common Files\??crosoft
2007-04-17 00:04 <DIR> d-------- C:\Program Files\?ssembly
2007-04-17 00:04 <DIR> d-------- C:\Program Files\?racle
2007-04-17 00:04 <DIR> d-------- C:\Program Files\?ecurity
2007-04-17 00:04 <DIR> d-------- C:\Program Files\?dobe
2007-04-17 00:04 <DIR> d-------- C:\Program Files\??sks
2007-04-17 00:04 <DIR> d-------- C:\Program Files\??crosoft
2007-04-17 00:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\s?curity
2007-04-17 00:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\F?nts
2007-04-17 00:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ssembly
2007-04-17 00:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?racle
2007-04-17 00:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??sembly
2007-04-17 00:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??pPatch
2007-04-17 00:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft.NET
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\system32\T?sks
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\system32\M?crosoft.NET
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\system32\A?pPatch
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\system32\?racle
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\system32\?icrosoft
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\system32\?dobe
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\?ystem
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\?asks
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\??sks
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\??mantec
2007-04-17 00:03 <DIR> d-------- C:\WINDOWS\??curity
2007-04-17 00:03 <DIR> d-------- C:\Program Files\W?nSxS
2007-04-17 00:03 <DIR> d-------- C:\Program Files\s?stem
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\T?sks
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\F?nts
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\?ymbols
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\?racle
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\?icrosoft.NET
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\??stem
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\??sks
2007-04-17 00:03 <DIR> d-------- C:\Program Files\Common Files\??mantec
2007-04-17 00:03 <DIR> d-------- C:\Program Files\a?sembly
2007-04-17 00:03 <DIR> d-------- C:\Program Files\?racle
2007-04-17 00:03 <DIR> d-------- C:\Program Files\?icrosoft.NET
2007-04-17 00:03 <DIR> d-------- C:\Program Files\?icrosoft
2007-04-17 00:03 <DIR> d-------- C:\Program Files\??stem
2007-04-17 00:03 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\W?nSxS
2007-04-17 00:03 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\M?crosoft
2007-04-17 00:03 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\A?pPatch
2007-04-17 00:03 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ymantec
2007-04-17 00:03 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?dobe
2007-04-17 00:03 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?dobe
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\s?curity
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\M?crosoft
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\F?nts
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\F?nts
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\?ystem
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\?racle
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\?icrosoft
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\?ecurity
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\?dobe
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\?asks
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\??stem
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\system32\??sks
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\M?crosoft.NET
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\F?nts
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\?ymbols
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\?ppPatch
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\?asks
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\??sembly
2007-04-17 00:02 <DIR> d-------- C:\WINDOWS\??pPatch
2007-04-17 00:02 <DIR> d-------- C:\Program Files\T?sks
2007-04-17 00:02 <DIR> d-------- C:\Program Files\s?stem32
2007-04-17 00:02 <DIR> d-------- C:\Program Files\S?mantec
2007-04-17 00:02 <DIR> d-------- C:\Program Files\s?curity
2007-04-17 00:02 <DIR> d-------- C:\Program Files\M?crosoft
2007-04-17 00:02 <DIR> d-------- C:\Program Files\F?nts
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\a?sembly
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\A?pPatch
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\?ystem32
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\?ystem
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\?ymantec
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\?racle
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\?ppPatch
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\?icrosoft.NET
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\??pPatch
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\??mbols
2007-04-17 00:02 <DIR> d-------- C:\Program Files\Common Files\??crosoft.NET
2007-04-17 00:02 <DIR> d-------- C:\Program Files\A?pPatch
2007-04-17 00:02 <DIR> d-------- C:\Program Files\?ppPatch
2007-04-17 00:02 <DIR> d-------- C:\Program Files\?dobe
2007-04-17 00:02 <DIR> d-------- C:\Program Files\?asks
2007-04-17 00:02 <DIR> d-------- C:\Program Files\??stem32
2007-04-17 00:02 <DIR> d-------- C:\Program Files\??mbols
2007-04-17 00:02 <DIR> d-------- C:\Program Files\??mantec
2007-04-17 00:02 <DIR> d-------- C:\Program Files\??curity
2007-04-17 00:02 <DIR> d-------- C:\Program Files\??crosoft.NET
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\S?mantec
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\F?nts
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\a?sembly
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ystem32
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ppPatch
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft.NET
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ecurity
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?asks
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?asks
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??stem32
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft.NET
2007-04-17 00:02 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\system32\W?nSxS
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\system32\s?mbols
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\system32\?ymantec
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\system32\?ppPatch
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\system32\??curity
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\s?mbols
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\F?nts
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\A?pPatch
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\?ymantec
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\?racle
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\?icrosoft.NET
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\?ecurity
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\?dobe
2007-04-17 00:01 <DIR> d-------- C:\WINDOWS\??mbols
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\W?nSxS
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\s?mbols
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\M?crosoft
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\F?nts
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\?ppPatch
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\?dobe
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\?dobe
2007-04-17 00:01 <DIR> d-------- C:\Program Files\Common Files\??crosoft
2007-04-17 00:01 <DIR> d-------- C:\Program Files\?ymbols
2007-04-17 00:01 <DIR> d-------- C:\Program Files\?ymantec
2007-04-17 00:01 <DIR> d-------- C:\Program Files\?icrosoft.NET
2007-04-17 00:01 <DIR> d-------- C:\Program Files\??sembly
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\T?sks
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\s?stem32
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\s?mbols
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?racle
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??stem
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??pPatch
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??mbols
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??curity
2007-04-17 00:01 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft
2007-04-16 23:59 26,694 --a------ C:\WINDOWS\system32\mljjged.dll
2007-04-16 23:49 280,676 ---hs---- C:\WINDOWS\system32\jkhhh.dll
2007-04-16 23:06 <DIR> d-------- C:\Program Files\AOL Games
2007-04-16 23:06 <DIR> d-------- C:\games
2007-04-15 14:33 <DIR> d-------- C:\VundoFix Backups
2007-04-15 07:40 14,848 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-15 07:40 <DIR> d-------- C:\Program Files\Webroot
2007-04-15 07:40 <DIR> d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\Webroot
2007-04-14 23:08 <DIR> d-------- C:\rename_this_folder_back_to_ComboFix_
2007-04-14 21:58 26,694 --a------ C:\WINDOWS\system32\iifdayy.dll
2007-04-14 21:28 26,694 --a------ C:\WINDOWS\system32\efcccax.dll
2007-04-14 21:18 26,694 --------- C:\WINDOWS\system32\hggeecd.dll
2007-04-14 19:17 26,694 --a------ C:\WINDOWS\system32\gebyyax.dll
2007-04-14 19:15 26,694 --a------ C:\WINDOWS\system32\byxwtqq.dll
2007-04-14 19:14 26,694 --a------ C:\WINDOWS\system32\gebcded.dll
2007-04-14 18:22 26,694 --a------ C:\WINDOWS\system32\opnlmkh.dll
2007-04-14 18:21 26,694 --a------ C:\WINDOWS\system32\mljhghi.dll
2007-04-14 18:19 26,694 --a------ C:\WINDOWS\system32\cbxyawu.dll
2007-04-14 17:32 26,694 --a------ C:\WINDOWS\system32\nnnmmmm.dll
2007-04-14 17:27 514,989 ---hs---- C:\WINDOWS\system32\egjlm.bak1
2007-04-14 17:27 125,460 --a------ C:\WINDOWS\system32\pmcnwabd.dll
2007-04-14 17:26 280,676 ---hs---- C:\WINDOWS\system32\ddcyv.dll
2007-04-13 19:16 514,472 ---hs---- C:\WINDOWS\system32\qqstv.bak1
2007-04-13 09:39 87,146 --a------ C:\smitfrau.reg
2007-04-13 09:39 3,451 --a------ C:\delfiles.cmd
2007-04-13 09:39 16,824 --a------ C:\replace.cmd
2007-04-13 08:04 <DIR> d-------- C:\DOCUME~1\HP_Owner\DoctorWeb
2007-04-12 16:10 26,694 --a------ C:\WINDOWS\system32\jkkjihi.dll
2007-04-12 15:12 2,684 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-12 14:59 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-12 14:59 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-12 14:59 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-12 14:59 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-12 14:59 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-12 14:59 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-12 10:14 26,694 --a------ C:\WINDOWS\system32\urqnljh.dll
2007-04-12 10:11 26,694 --a------ C:\WINDOWS\system32\qomnoop.dll
2007-04-05 14:11 <DIR> d-------- C:\Program Files\iTunes
2007-04-05 14:11 <DIR> d-------- C:\Program Files\iPod
2007-03-29 11:19 5 --ahs---- C:\WINDOWS\system32\eeafbddde_s.dll
2007-03-29 11:07 <DIR> d-------- C:\Program Files\RegCleaner
2007-03-28 17:53 957,952 --a------ C:\WINDOWS\Baby.scr
2007-03-23 16:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-03-23 16:39 <DIR> d-------- C:\Program Files\Superhunter
2007-03-17 00:32 159,744 --a------ C:\WINDOWS\system32\lfpng13n.dll
2007-03-15 12:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 12:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-17 00:20 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft.net
2007-04-17 00:11 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ystem
2007-04-17 00:10 -------- d-------- C:\Program Files\Common Files\??crosoft.net
2007-04-17 00:10 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft.net
2007-04-17 00:08 -------- d-------- C:\Program Files\?ystem32
2007-04-17 00:07 -------- d-------- C:\Program Files\Common Files\?ssembly
2007-04-17 00:07 -------- d-------- C:\Program Files\Common Files\?ecurity
2007-04-17 00:05 -------- d-------- C:\Program Files\Common Files\?icrosoft
2007-04-17 00:05 -------- d-------- C:\Program Files\Common Files\??mantec
2007-04-17 00:05 -------- d-------- C:\Program Files\?ystem
2007-04-17 00:05 -------- d-------- C:\Program Files\?asks
2007-04-17 00:05 -------- d-------- C:\Program Files\??crosoft.net
2007-04-17 00:05 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ymbols
2007-04-17 00:05 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??stem
2007-04-17 00:04 -------- d-------- C:\Program Files\Common Files\?asks
2007-04-17 00:04 -------- d-------- C:\Program Files\Common Files\??stem32
2007-04-17 00:04 -------- d-------- C:\Program Files\Common Files\??curity
2007-04-17 00:04 -------- d-------- C:\Program Files\?ssembly
2007-04-17 00:04 -------- d-------- C:\Program Files\?racle
2007-04-17 00:04 -------- d-------- C:\Program Files\?racle
2007-04-17 00:04 -------- d-------- C:\Program Files\?ecurity
2007-04-17 00:04 -------- d-------- C:\Program Files\??mbols
2007-04-17 00:04 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ssembly
2007-04-17 00:04 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??curity
2007-04-17 00:03 -------- d-------- C:\Program Files\Common Files\?ymbols
2007-04-17 00:03 -------- d-------- C:\Program Files\Common Files\?racle
2007-04-17 00:03 -------- d-------- C:\Program Files\Common Files\?racle
2007-04-17 00:03 -------- d-------- C:\Program Files\Common Files\?icrosoft.net
2007-04-17 00:03 -------- d-------- C:\Program Files\Common Files\??sks
2007-04-17 00:03 -------- d-------- C:\Program Files\?icrosoft.net
2007-04-17 00:03 -------- d-------- C:\Program Files\?icrosoft
2007-04-17 00:03 -------- d-------- C:\Program Files\??stem
2007-04-17 00:03 -------- d-------- C:\Program Files\??sembly
2007-04-17 00:03 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ymantec
2007-04-17 00:03 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??ppatch
2007-04-17 00:02 -------- d-------- C:\Program Files\Common Files\?ystem32
2007-04-17 00:02 -------- d-------- C:\Program Files\Common Files\?ymantec
2007-04-17 00:02 -------- d-------- C:\Program Files\Common Files\??sembly
2007-04-17 00:02 -------- d-------- C:\Program Files\Common Files\??ppatch
2007-04-17 00:02 -------- d-------- C:\Program Files\?pppatch
2007-04-17 00:02 -------- d-------- C:\Program Files\??stem32
2007-04-17 00:02 -------- d-------- C:\Program Files\??sks
2007-04-17 00:02 -------- d-------- C:\Program Files\??ppatch
2007-04-17 00:02 -------- d-------- C:\Program Files\??mantec
2007-04-17 00:02 -------- d-------- C:\Program Files\??curity
2007-04-17 00:02 -------- d-------- C:\Program Files\??crosoft
2007-04-17 00:02 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ystem32
2007-04-17 00:02 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?pppatch
2007-04-17 00:02 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?ecurity
2007-04-17 00:02 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?asks
2007-04-17 00:02 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??sembly
2007-04-17 00:02 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??mantec
2007-04-17 00:01 -------- d-------- C:\Program Files\Common Files\?pppatch
2007-04-17 00:01 -------- d-------- C:\Program Files\Common Files\??mbols
2007-04-17 00:01 -------- d-------- C:\Program Files\Common Files\??crosoft
2007-04-17 00:01 -------- d-------- C:\Program Files\?ymbols
2007-04-17 00:01 -------- d-------- C:\Program Files\?ymantec
2007-04-17 00:01 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?racle
2007-04-17 00:01 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?racle
2007-04-17 00:01 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??stem32
2007-04-17 00:01 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??sks
2007-04-17 00:01 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??mbols
2007-04-16 23:43 -------- d-------- C:\Program Files\msn messenger
2007-04-15 15:28 -------- d-------- C:\Program Files\hjt
2007-04-14 22:45 -------- d-------- C:\Program Files\msn apps
2007-04-14 22:37 -------- d-------- C:\Program Files\regscrubxp
2007-04-14 17:52 3481664 --a------ C:\WINDOWS\system32\drivers\vrcore.sys
2007-04-13 19:04 -------- d-------- C:\Program Files\spywareblaster
2007-04-13 18:28 -------- d-------- C:\Program Files\xoftspy
2007-04-07 08:36 -------- d-------- C:\Program Files\pcsecurityshield
2007-04-02 10:02 -------- d-------- C:\Program Files\pcrescue4.0
2007-04-02 09:46 -------- d-------- C:\Program Files\inac
2007-04-02 00:36 -------- d-------- C:\Program Files\lexarmedia
2007-04-01 21:21 -------- d--h----- C:\Program Files\installshield installation information
2007-04-01 21:18 67645 --a------ C:\WINDOWS\system32\drivers\pshook11.sys
2007-03-30 21:57 -------- d-------- C:\Program Files\spywareguard
2007-03-21 05:36 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft
2007-03-21 05:36 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft
2007-03-17 23:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-17 22:28 -------- d-------- C:\Program Files\epson print cd
2007-03-17 22:28 -------- d-------- C:\Program Files\clean disk security
2007-03-17 20:47 -------- d-------- C:\Program Files\motorola phone tools
2007-03-15 17:04 -------- d-------- C:\Program Files\hp
2007-03-09 01:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-09 01:36 40960 --------- C:\WINDOWS\system32\mf3216.dll
2007-03-09 01:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 23:47 1843584 --------- C:\WINDOWS\system32\win32k.sys
2007-03-08 14:59 -------- d-------- C:\Program Files\quicktime
2007-03-07 22:08 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\inac
2007-03-05 14:29 34 --a------ C:\WINDOWS\system32\rnplf8.dll
2007-03-05 14:13 -------- d-------- C:\Program Files\pointstone
2007-03-05 14:13 -------- d-------- C:\Program Files\Common Files\download manager
2007-03-05 10:51 -------- d-------- C:\Program Files\irfanview
2007-03-03 21:54 -------- d-------- C:\Program Files\uniblue
2007-03-03 21:50 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\uniblue
2007-02-25 06:51 -------- d-------- C:\DOCUME~1\HP_Owner\APPLIC~1\nero
2007-02-24 16:55 223128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-02-24 16:55 -------- d-------- C:\Program Files\alcohol soft
2007-02-24 16:46 -------- d-------- C:\Program Files\nero
2007-02-24 15:35 96256 --a------ C:\WINDOWS\system32\drivers\sptd7677.sys
2007-02-24 15:35 642560 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-02-18 15:25 -------- d-------- C:\Program Files\interactual
2007-02-18 15:02 -------- d-------- C:\Program Files\microsoft windows vista upgrade advisor
2007-02-08 13:58 313 --a------ C:\WINDOWS\option.dat
2007-02-06 06:17 185344 --------- C:\WINDOWS\system32\upnphost.dll
2007-01-19 12:53 51056 --a------ C:\WINDOWS\system32\sirenacm.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"WMPNSCFG"="C:\\Program Files\\Windows Media Player\\WMPNSCFG.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\Disabled]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"VrSchedule"="C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\Vrres.exe"
"dwStart"="C:\\Program Files\\PCSecurityShield\\The Shield Firewall\\FireWall.exe"
"VrProxyc"="\"C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\vrproxyc.exe\""
"VrProxyd"="\"C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\vrproxyd.exe\""
"VrBootScan"="\"C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\VRBScan.exe\""
"HP Software Update"="\"C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"Vrmon"="C:\\Program Files\\PCSecurityShield\\ShieldAntivirus\\vrmonnt.exe Main"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\Disabled]
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.exe.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~2.0\\Reader\\reader_sl.exe "
"item"="Adobe Reader Speed Launch"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Digital Imaging Monitor.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\HP\\DIGITA~1\\bin\\hpqtra08.exe "
"item"="HP Digital Imaging Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^strings.exe]
"location"="Common Startup"
"item"="strings"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Updates from HP.lnk]
"location"="Common Startup"
"command"="C:\\PROGRA~1\\UPDATE~1\\309731\\Program\\UPDATE~1.EXE -startup"
"item"="Updates from HP"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
"backup"="C:\\WINDOWS\\pss\\WinZip Quick Pick.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\WinZip\\WZQKPICK.EXE "
"item"="WinZip Quick Pick"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^HP_Owner^Start Menu^Programs^Startup^LimeWire On Startup.lnk]
"backup"="C:\\WINDOWS\\pss\\LimeWire On Startup.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\LimeWire\\LimeWire.exe -startup"
"item"="LimeWire On Startup"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="apdproxy"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Photoshop Elements 5.0\\apdproxy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BDSwitchAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bdswitch"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\com.codeode.privacymantra]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="privacymantra"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools-1033]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="daemon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\D-Tools\\daemon.exe\" -lang 1033"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\New.net Startup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="newdotnet7_22"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002A]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PHIME2002ASync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TINTSETP"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PrintDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yxuahsva"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\yxuahsva.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegClean Expert Scheduler]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RCHelper"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySweeperUI"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Webroot\\Spy Sweeper\\SpySweeperUI.exe\" /startintray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SWN2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swnxt"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Tracks Eraser Pro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="te"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WinRemote"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\InterVideo\\Common\\Bin\\WinRemote.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=dword:00000002
"SNDSrvc"=dword:00000003
"Messenger"=dword:00000002
"SDhelper"=dword:00000002
"IDriverT"=dword:00000003
"WMPNetworkSvc"=dword:00000002
"usnjsvc"=dword:00000003
"StarWindService"=dword:00000002
"idsvc"=dword:00000003
"AdobeActiveFileMonitor5.0"=dword:00000002
"WebrootSpySweeperService"=dword:00000002


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81559C35-8464-49F7-BB0E-07A383BEF910}"=""
"{A2A61D92-555E-4E4D-A877-DE105D95AB90}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000000
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoToolbarCustomize"=dword:00000000
"NoLowDiskSpaceChecks"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggeecd

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job
C:\WINDOWS\tasks\XoftSpy.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-15 16:13:51
C:\ComboFix-quarantined-files.txt ... 07-04-15 16:13
C:\ComboFix.2007-04-14.202234.txt ... 06-08-09 20:15
C:\ComboFix2.txt ... 07-04-14 20:23

SDFix: Version 1.78

Run by HP_Owner - 07-04-15 - 15:13:16.57

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:






Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found...




Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------


Checking For Files with Hidden Attributes:

C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\eeafbddde_s.dll
C:\WINDOWS\system32\jkhhh.dll
C:\Documents and Settings\HP_Owner\Desktop\My stuff\ComboFix\NTPBack.exe
C:\Documents and Settings\HP_Owner\Desktop\My stuff\ComboFix\swreg.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Program Files\Smart Projects\IsoBuster\Help\AHlp.exe
C:\Documents and Settings\HP_Owner\ntuser.dat.tmp.LOG
C:\Documents and Settings\HP_Owner\ntuser.tmp.LOG
C:\Documents and Settings\HP_Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG
C:\Documents and Settings\LocalService\NTUSER.tmp.LOG
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG
C:\Documents and Settings\NetworkService\NTUSER.tmp.LOG
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.tmp.LOG
C:\WINDOWS\system32\config\default.tmp.LOG
C:\WINDOWS\system32\config\SAM.tmp.LOG
C:\WINDOWS\system32\config\SECURITY.tmp.LOG
C:\WINDOWS\system32\config\software.tmp.LOG
C:\WINDOWS\system32\config\system.tmp.LOG

Finished
pearcedg is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Bookmark on Thread SoupReddit!
Old 04-15-2007, 01:27 AM   #5 (permalink)
Analyst, Security Team; Assistant Rangemaster, TSF Academy
 
Sempurna's Avatar
 
Join Date: Sep 2006
Posts: 1,302
OS: Windows XP SP2


Re: ToolBar 888 please help
Hi pearcedg,

This is an heavily infected system. We’ll need to run a few fixes before we can get it all, I reckon. Did you manage to run VundoFix, by the way? I don’t see the log.

OK, let’s do this next.

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

O2 - BHO: (no name) - {6079AE10-18D6-404A-BA70-D9E2E72AA638} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {7D0C53B8-464E-4B24-96ED-E46C17EE610A} - C:\WINDOWS\system32\awtqo.dll
O2 - BHO: (no name) - {A2A61D92-555E-4E4D-A877-DE105D95AB90} - C:\WINDOWS\system32\hggeecd.dll
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\mthrqcpw.dll",setvm
O20 - Winlogon Notify: awtqo - C:\WINDOWS\system32\awtqo.dll
O20 - Winlogon Notify: awvtq - C:\WINDOWS\system32\awvtq.dll (file missing)
O20 - Winlogon Notify: hggeecd - C:\WINDOWS\SYSTEM32\hggeecd.dll


Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

Then please exit HijackThis.


NEXT:

1. Please download The Avenger by Swandog46 to your desktop.
  • Right-click on avenger.zip and select "Extract All". Follow the prompts.
  • A new avenger folder will be created on your desktop.


2. Copy all the text contained inside the code box below to your clipboard by highlighting it and pressing (Ctrl+C):

Code:
Files to delete:
C:\WINDOWS\system32\mthrqcpw.dll
C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\SYSTEM32\hggeecd.dll
C:\WINDOWS\system32\ljjgdeb.dll
C:\WINDOWS\system32\khfeede.dll
C:\WINDOWS\system32\hggddca.dll
C:\WINDOWS\system32\mljjged.dll
C:\WINDOWS\system32\jkhhh.dll
C:\WINDOWS\system32\iifdayy.dll
C:\WINDOWS\system32\efcccax.dll
C:\WINDOWS\system32\hggeecd.dll
C:\WINDOWS\system32\gebyyax.dll
C:\WINDOWS\system32\byxwtqq.dll
C:\WINDOWS\system32\gebcded.dll
C:\WINDOWS\system32\opnlmkh.dll
C:\WINDOWS\system32\mljhghi.dll
C:\WINDOWS\system32\cbxyawu.dll
C:\WINDOWS\system32\nnnmmmm.dll
C:\WINDOWS\system32\egjlm.bak1
C:\WINDOWS\system32\pmcnwabd.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\qqstv.bak1
C:\WINDOWS\system32\jkkjihi.dll
C:\WINDOWS\system32\urqnljh.dll
C:\WINDOWS\system32\qomnoop.dll
C:\WINDOWS\system32\eeafbddde_s.dll
C:\WINDOWS\system32\yxuahsva.dll
C:\WINDOWS\system32\ddcyv.dll
C:\WINDOWS\system32\eeafbddde_s.dll
C:\WINDOWS\system32\jkhhh.dll
CAUTION: The above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.



3. Now, to start The Avenger program, open the avenger folder and double-click avenger.exe to run it.
  • Under "Script file to execute" choose "Input Script Manually".
  • Now click on the Magnifying Glass icon which will open a new window titled "View/edit script".
  • Paste the text copied to clipboard into this window by pressing (Ctrl+V).
  • Click Done.
  • Now click on the Green Traffic Light icon to begin execution of the script.
  • Answer "Yes" twice when prompted.


4. The Avenger will automatically do the following:
  • It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system TWICE).
  • On reboot, it will briefly open a black command window on your desktop, this is normal.
  • After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
  • The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip


5. Please copy and paste the contents of c:\avenger.txt into your reply along with a fresh HijackThis log by using Add/Reply.


NEXT:

Please download VirtumundoBeGone:
  • Save it to the desktop.
  • Close all running programs (including your Internet browser).
  • Double-click VirtumundoBeGone.exe on the desktop.
  • Follow the directions as indicated.

This program may generate a "BLUE SCREEN OF DEATH" which is an expected/necessary part of the process. Do not be concerned. Just reboot if your system "jams".

To confirm successful deletion, and to determine if there are any additional problems, please post the VirtumundoBeGone log VBG.txt. It will be on your desktop.


NEXT:

Go to the Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

ClickSpring
Cowabanga by OIN
MediaTickets
MediaTickets by OIN
OIN
Outerinfo
Outer Info Network
PurityScan
PurityScan by OIN
Snowball Wars by OIN
TizzleTalk
TizzleTalk by OIN
Yazzle by OIN
Yazzle ActiveX by OIN
Yazzle Cowabanga by OIN
Yazzle Kobe Balls! By OIN
Yazzle Picster by OIN
Yazzle Snowball Wars by OIN
Yazzle Sudoku by OIN
Zolero Translator
(Anything else with the word "OIN" or "Outerinfo" or "Outer Info Network" or "Yazzle" in them)


NEXT:

Reconfigure Windows XP to show hidden files:
  • Click Start -> My Computer.
  • Select the Tools menu and click Folder Options. Select the View tab.
  • Under the Hidden files and folders heading check "Show hidden files and folders".
  • Uncheck the "Hide protected operating system files (recommended)" option.
  • Uncheck the "Hide file extensions for known file types" option.
  • Click Yes to confirm. Click OK.

CAUTION: You will see many folders and files which you may not recognize. Most of these folders and files are LEGITIMATE. Please do NOT delete anything you deem suspicious unless you are specifically instructed to do so. To do otherwise may irreparably damage your system.


NEXT:

Using Windows Explorer (right-click your Start button and select Explore), please navigate to and delete the following FOLDERS (if they exist):

The question marks (?) could be symbols or foreign alphabets.

C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft.NET
C:\WINDOWS\system32\?ystem32
C:\WINDOWS\system32\?ymbols
C:\WINDOWS\system32\?icrosoft.NET
C:\WINDOWS\system32\??pPatch
C:\WINDOWS\system32\??sembly
C:\Program Files\Common Files\??sks
C:\DOCUME~1\HP_Owner\APPLIC~1\?ystem
C:\WINDOWS\system32\??crosoft.NET
C:\Program Files\Common Files\M?crosoft.NET
C:\DOCUME~1\HP_Owner\APPLIC~1\M?crosoft.NET
C:\DOCUME~1\HP_Owner\APPLIC~1\??sks
C:\Program Files\?ppPatch
C:\WINDOWS\system32\s?stem32
C:\WINDOWS\?racle
C:\Program Files\?ystem32
C:\WINDOWS\??crosoft
C:\Program Files\Common Files\?ssembly
C:\Program Files\Common Files\?ecurity
C:\Program Files\Common Files\?asks
C:\Program Files\??pPatch
C:\Program Files\??crosoft.NET
C:\DOCUME~1\HP_Owner\APPLIC~1\?ppPatch
C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft
C:\DOCUME~1\HP_Owner\APPLIC~1\??mantec
C:\WINDOWS\system32\s?stem
C:\WINDOWS\system32\?ssembly
C:\WINDOWS\system32\?ppPatch
C:\WINDOWS\system32\??stem32
C:\WINDOWS\system32\??sks
C:\WINDOWS\?icrosoft
C:\WINDOWS\??crosoft
C:\Program Files\F?nts
C:\Program Files\?icrosoft
C:\DOCUME~1\HP_Owner\APPLIC~1\??sks
C:\WINDOWS\system32\a?sembly
C:\WINDOWS\S?mantec
C:\WINDOWS\M?crosoft
C:\WINDOWS\?icrosoft
C:\Program Files\M?crosoft.NET
C:\Program Files\Common Files\S?mantec
C:\Program Files\Common Files\?icrosoft
C:\Program Files\Common Files\?icrosoft
C:\Program Files\Common Files\??pPatch
C:\Program Files\Common Files\??curity
C:\Program Files\?ystem
C:\Program Files\?asks
C:\Program Files\??sks
C:\Program Files\??pPatch
C:\Program Files\??crosoft
C:\DOCUME~1\HP_Owner\APPLIC~1\s?stem
C:\DOCUME~1\HP_Owner\APPLIC~1\?ymbols
C:\WINDOWS\system32\?icrosoft.NET
C:\WINDOWS\system32\?asks
C:\WINDOWS\system32\??pPatch
C:\WINDOWS\system32\??mbols
C:\WINDOWS\system32\??crosoft.NET
C:\WINDOWS\?dobe
C:\Program Files\s?mbols
C:\Program Files\Common Files\s?stem32
C:\Program Files\Common Files\s?curity
C:\Program Files\Common Files\?asks
C:\Program Files\Common Files\??stem32
C:\Program Files\Common Files\??sembly
C:\Program Files\Common Files\??crosoft.NET
C:\Program Files\Common Files\??crosoft
C:\Program Files\?ssembly
C:\Program Files\?racle
C:\Program Files\?ecurity
C:\Program Files\??sks
C:\Program Files\??crosoft
C:\DOCUME~1\HP_Owner\APPLIC~1\s?curity
C:\DOCUME~1\HP_Owner\APPLIC~1\F?nts
C:\DOCUME~1\HP_Owner\APPLIC~1\?ssembly
C:\DOCUME~1\HP_Owner\APPLIC~1\?racle
C:\DOCUME~1\HP_Owner\APPLIC~1\??sembly
C:\DOCUME~1\HP_Owner\APPLIC~1\??pPatch
C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft.NET
C:\WINDOWS\system32\T?sks
C:\WINDOWS\system32\M?crosoft.NET
C:\WINDOWS\system32\A?pPatch
C:\WINDOWS\system32\?racle
C:\WINDOWS\??mantec
C:\Program Files\W?nSxS
C:\Program Files\s?stem
C:\Program Files\Common Files\T?sks
C:\Program Files\Common Files\F?nts
C:\Program Files\Common Files\?ymbols
C:\Program Files\Common Files\?racle
C:\Program Files\Common Files\?icrosoft.NET
C:\Program Files\Common Files\??sks
C:\Program Files\Common Files\??mantec
C:\Program Files\a?sembly
C:\Program Files\?racle
C:\Program Files\?icrosoft.NET
C:\Program Files\?icrosoft
C:\Program Files\??stem
C:\DOCUME~1\HP_Owner\APPLIC~1\W?nSxS
C:\DOCUME~1\HP_Owner\APPLIC~1\M?crosoft
C:\DOCUME~1\HP_Owner\APPLIC~1\A?pPatch
C:\DOCUME~1\HP_Owner\APPLIC~1\?ymantec
C:\DOCUME~1\HP_Owner\APPLIC~1\?dobe
C:\DOCUME~1\HP_Owner\APPLIC~1\?dobe
C:\WINDOWS\system32\s?curity
C:\WINDOWS\system32\F?nts
C:\WINDOWS\system32\F?nts
C:\WINDOWS\system32\?ystem
C:\WINDOWS\system32\?racle
C:\WINDOWS\system32\?ecurity
C:\WINDOWS\system32\?asks
C:\WINDOWS\system32\??stem
C:\WINDOWS\system32\??sks
C:\WINDOWS\?ymbols
C:\Program Files\T?sks
C:\Program Files\s?stem32
C:\Program Files\s?curity
C:\Program Files\M?crosoft
C:\Program Files\F?nts
C:\Program Files\Common Files\a?sembly
C:\Program Files\Common Files\A?pPatch
C:\Program Files\Common Files\?ystem32
C:\Program Files\Common Files\?ymantec
C:\Program Files\Common Files\?racle
C:\Program Files\Common Files\?ppPatch
C:\Program Files\Common Files\?icrosoft.NET
C:\Program Files\Common Files\??pPatch
C:\Program Files\Common Files\??mbols
C:\Program Files\Common Files\??crosoft.NET
C:\Program Files\A?pPatch
C:\Program Files\?ppPatch
C:\Program Files\?asks
C:\Program Files\??stem32
C:\Program Files\??mbols
C:\Program Files\??curity
C:\Program Files\??crosoft.NET
C:\DOCUME~1\HP_Owner\APPLIC~1\S?mantec
C:\DOCUME~1\HP_Owner\APPLIC~1\F?nts
C:\DOCUME~1\HP_Owner\APPLIC~1\a?sembly
C:\DOCUME~1\HP_Owner\APPLIC~1\?ystem32
C:\DOCUME~1\HP_Owner\APPLIC~1\?ppPatch
C:\DOCUME~1\HP_Owner\APPLIC~1\?icrosoft.NET
C:\DOCUME~1\HP_Owner\APPLIC~1\?ecurity
C:\DOCUME~1\HP_Owner\APPLIC~1\?asks
C:\DOCUME~1\HP_Owner\APPLIC~1\?asks
C:\DOCUME~1\HP_Owner\APPLIC~1\??stem32
C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft.NET
C:\DOCUME~1\HP_Owner\APPLIC~1\??crosoft
C:\WINDOWS\system32\W?nSxS
C:\WINDOWS\system32\s?mbols
C:\WINDOWS\system32\?ymantec
C:\WINDOWS\system32\?ppPatch
C:\WINDOWS\system32\??curity
C:\WINDOWS\s?mbols
C:\WINDOWS\?ymantec
C:\WINDOWS\?racle
C:\WINDOWS\?dobe
C:\WINDOWS\??mbols
C:\Program Files\Common Files\W?nSxS
C:\Program Files\Common Files\s?mbols
C