Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Need lots of help here.
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-17-2006, 02:01 AM   #1 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Need lots of help here.
Hi. I am in need of some major help with this computer. It keeps loading up stuff that I dont want it to and it keeps bringing up internet popups. Tell me what I need to provide (HJT Log ect.) and I will provide it. Thanks in advance for the help.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-17-2006, 09:26 AM   #2 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Let's start with a HJT log.

Download HiJackThis - this program will help determine if there's any malware on your computer.

1. Double-click on the file you just downloaded.

2. Click on the "Unzip" button to install the newer version.

3. It will by default install to the directory - C:\Program Files\HiJackThis\

4. If it gives you an intro screen, just choose - Do a system scan and save a logfile.

5. If you don't get the intro screen, just hit [Scan] and then click on Save log.

6. Post the HiJackThis.log file here
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2006, 01:41 PM   #3 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Okay, no problem. Here is my HJT log. It seems to have found a lot of stuff that isnt supposed to be there. I await your response and thanks for helping.

Logfile of HijackThis v1.99.1
Scan saved at 12:36:22 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\IA\command.exe
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Network Monitor\netmon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\cohcfso.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\WINDOWS\win32106-147137667.exe
C:\WINDOWS\cohcfsoA.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\WINDOWS\cfg32.exe
C:\windows\system32\pqdsregm.exe
C:\WINDOWS\SYSC00.exe
C:\WINDOWS\sys02471376676-1.exe
C:\WINDOWS\system32\kwinrqez.exe
C:\Program Files\webHancer\Programs\whagent.exe
C:\Program Files\webHancer\Programs\whsurvey.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\TClock\TClock.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\Uninstall Information\odbc.exe
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F3 - REG:win.ini: load=???
?
F3 - REG:win.ini: run=???
?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,lkdtsje.exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {CBBEF009-87CD-419A-B59C-F568C542FDBD} - C:\Program Files\Common Files\hore.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [win32106-147137667] C:\WINDOWS\win32106-147137667.exe
O4 - HKLM\..\Run: [cohcfsoA] C:\WINDOWS\cohcfsoA.exe
O4 - HKLM\..\Run: [w1f8758a.dll] RUNDLL32.EXE w1f8758a.dll,I2 0015d7f701f8758a
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{C9-92-2D-DC-ZN}] C:\windows\system32\pqdsregm.exe GID003
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys02471376676-1] C:\WINDOWS\sys02471376676-1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinrqez.exe GID003
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinrqez.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O10 - Hijacked Internet access by WebHancer
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1127251276609
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://coolmom58.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{146CD15B-8821-4A8B-BD6E-00138CEFFAF8}: NameServer = 68.94.156.1,68.94.157.1
O20 - AppInit_DLLs: msiexec.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Themes - C:\WINDOWS\system32\pjrfdisk.dll (file missing)
O20 - Winlogon Notify: Unimodem - C:\WINDOWS\system32\mytscax.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Boonty Games - BOONTY - C:\Program Files\Common Files\BOONTY Shared\Service\Boonty.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\IA\command.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\cohcfso.exe
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2006, 02:09 PM   #4 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Hmm... appears you weren't wrong when you said "Need lots of help here". You have multiple infections!! You're in this hot-soup primarily because I don't see any antivirus programs in your machine (Ewido isn't an antivirus program per se). In this day & age, I would advise you to remove all your removable drives & stay off the internet if you do not have anti-viral protection.

Please read this post completely before begining. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.


* * * * * *


Do this first ...



  1. Download and run - bfu.zip
  2. Checkmark the following boxes:
    • Use settings specified in script for the above option
    • Show log after script ends
  3. Click the Web button located on the top right corner
  4. Copy/Paste this url into the address bar of the Download script window:

    http://metallica.geekstogo.com/alcanshorty.bfu

  5. Execute the script by clicking the Execute button.
  6. When it finishes running, click the Save button for a copy of the log
  7. Post the log created by the script when you have completed the fix

* * * * * *


1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Do not proceed with the rest of the fix if you fail to run combofix


* * * * * * ADDITIONAL DOWNLOADS * * * * * * * * * * * * * *


Download & install CleanUp.exe (not recommended for WinXP64)

Please download AVG Antivirus and update it's virus definitions. Also ensure that it's real time scanning engine is enabled. We shall be running it later

Download Dr.Web CureIt & save it on desktop. We shall be using it later

'UNPLUG'/DISCONNECT your computer from the Internet when you have finished downloading.
It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.


* * * * * * DISABLING SERVICES * * * * * * * * * * * * * * * * *


Click Start -> Run - type SERVICES.MSC & then click on the OK button
  1. Locate the service - Windows Overlay Components
  2. Double-click on it to open the Properties dialog.
    - Change the Startup type to Disabled & then click on the Apply button
    - Stop the service by using the Stop button.
  3. Then start HiJackThis & go to Config... -> Misc.Tools -> Delete an NT service
  4. In the popup box that appears, copy/paste Windows Overlay Components
  5. Click on the OK button & answer No if prompted to reboot
Repeat steps 1-5 for these other services :-
  • BOONTY

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://searchbar.findthewebsiteyouneed.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://searchbar.findthewebsiteyouneed.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F3 - REG:win.ini: load=???
?
F3 - REG:win.ini: run=???
?
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\Userinit.exe,lkdtsje. exe
O2 - BHO: BHObj Class - {00000010-6F7D-442C-93E3-4A4827C2E4C8} - C:\WINDOWS\nem220.dll
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Related Page - {9A9C9B69-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O2 - BHO: Yvakt Class - {AE0ECC2F-0C33-494C-8B22-B57A7763027F} - C:\WINDOWS\system32\x3cqp0.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O2 - BHO: WhIeHelperObj Class - {c900b400-cdfe-11d3-976a-00e02913a9e0} - C:\Program Files\webHancer\programs\whiehlpr.dll
O2 - BHO: (no name) - {CBBEF009-87CD-419A-B59C-F568C542FDBD} - C:\Program Files\Common Files\hore.dll
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll
O4 - HKLM\..\Run: [win32106-147137667] C:\WINDOWS\win32106-147137667.exe
O4 - HKLM\..\Run: [cohcfsoA] C:\WINDOWS\cohcfsoA.exe
O4 - HKLM\..\Run: [w1f8758a.dll] RUNDLL32.EXE w1f8758a.dll,I2 0015d7f701f8758a
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [{C9-92-2D-DC-ZN}] C:\windows\system32\pqdsregm.exe GID003
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\SYSC00.exe
O4 - HKLM\..\Run: [sys02471376676-1] C:\WINDOWS\sys02471376676-1.exe
O4 - HKLM\..\Run: [BrowserUpdateSched] C:\WINDOWS\system32\kwinrqez.exe GID003
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - Startup: Zeno.lnk = C:\WINDOWS\system32\kwinrqez.exe
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll (file missing)
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O20 - AppInit_DLLs: msiexec.dll


* * * * * * RESTART WINDOWS IN SAFE MODE * * * * * * * * * *


1. Restart your computer
2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3. Instead of Windows loading as normal, a menu should appear
4. Select the option to run Windows in Safe Mode.


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • Webhancer
    Zeno
    Boonty (if available)
    Purity Scan/SnowballWars by OIN (or anything else by OIN)
Please note any other programs that you dont recognize in that list in your next response


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders:
  • C:\WINDOWS\cfg32a.exe
    C:\Program Files\Uninstall Information\odbc.exe
    C:\WINDOWS\nem220.dll
    C:\WINDOWS\cfg32p.dll
    C:\WINDOWS\cfg32r.dll
    C:\WINDOWS\system32\WinNB57.dll
    C:\WINDOWS\system32\x3cqp0.dll
    C:\WINDOWS\cfg32o.dll
    C:\Program Files\webHancer\
    C:\Program Files\Common Files\hore.dll
    C:\WINDOWS\cfg32s.dll
    C:\WINDOWS\system32\WinNB57.dll
    C:\WINDOWS\win32106-147137667.exe
    C:\WINDOWS\cohcfsoA.exe
    w1f8758a.dll
    C:\WINDOWS\cfg32.exe
    C:\windows\system32\pqdsregm.exe
    C:\WINDOWS\SYSC00.exe
    C:\WINDOWS\sys02471376676-1.exe
    C:\WINDOWS\system32\kwinrqez.exe
    C:\Program Files\Common Files\svchostsys\
    C:\WINDOWS\system32\kwinrqez.exe
    C:\WINDOWS\system32\msiexec.dll >>> do not delete msiexec.EXE
    C:\Program Files\Common Files\BOONTY Shared\
    C:\WINDOWS\cohcfso.exe

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Delete Cookies
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Have AVG do a systemwide scan & fix/heal/delete all that it finds.


* * * * * *
  • Doubleclick the drweb-cureit.exe file and Allow to run the express scan
  • This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
  • Once the short scan has finished, mark the drives that you want to scan.
  • Select all drives. A red dot shows which drives have been chosen.
  • Click the green arrow at the right, and the scan will start.
  • Click 'Yes to all' if it asks if you want to cure/move the file.
  • When the scan has finished, look if you can click next icon next to the files found:
  • If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

    This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
  • After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
  • Save the report to your desktop. The report will be called DrWeb.csv
  • Close Dr.Web Cureit.
  • Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
  • After reboot, post the contents of the log from Dr.Web you saved previously in your next reply.

** The scan would require at least an hour. I suggest that you go grab a cup of coffee & do something else while you wait for it to complete.


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click Scan your PC & a 'pop up' window shall appear. *ensure that your pop up blocker doesn't block it
  2. Click Scan Now
  3. Enter your e-mail address & click Scan Now ...begins downloading 8 MB Panda's ActiveX controls
Begin the scan by selecting My Computer
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on see report. Then click Save report
Post the contents of the report in your next reply

*You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
*Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • ComboFix
  • Dr.Web
  • Online Scan
Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2006, 08:59 PM   #5 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Okay, it took a while but here are the logs you requested.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 7:54:19 PM, on 6/17/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\Program Files\ipwins\ipwins.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\TClock\TClock.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\Program Files\CleanUp!\readme.exe
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1127251276609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://coolmom58.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{146CD15B-8821-4A8B-BD6E-00138CEFFAF8}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

Combofix Log:

Start Time= Sat 06/17/2006 13:45:31.85

(((((((((((((((((((((((((((((((((((((((((((((((( Look2Me's Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AtiExtEvent
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\crypt32chain
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cryptnet
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cscdll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igfxcui
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ScCertProp
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Schedule
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\sclgntfy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SensLogn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\termsrv
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wlballoon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wzcnotif


* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\internet settings\user agent\post platform]
"sv1"=""

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shell extensions\approved]
"{00022613-0000-0000-C000-000000000046}"="Multimedia File Property Sheet"
"{176d6597-26d3-11d1-b350-080036a75b03}"="ICM Scanner Management"
"{1F2E5C40-9550-11CE-99D2-00AA006E086C}"="NTFS Security Page"
"{3EA48300-8CF6-101B-84FB-666CCB9BCD32}"="OLE Docfile Property Page"
"{40dd6e20-7c17-11ce-a804-00aa003ca9f6}"="Shell extensions for sharing"
"{41E300E0-78B6-11ce-849B-444553540000}"="PlusPack CPL Extension"
"{42071712-76d4-11d1-8b24-00a0c9068ff3}"="Display Adapter CPL Extension"
"{42071713-76d4-11d1-8b24-00a0c9068ff3}"="Display Monitor CPL Extension"
"{42071714-76d4-11d1-8b24-00a0c9068ff3}"="Display Panning CPL Extension"
"{4E40F770-369C-11d0-8922-00A024AB2DBB}"="DS Security Page"
"{513D916F-2A8E-4F51-AEAB-0CBC76FB1AF8}"="Compatibility Page"
"{56117100-C0CD-101B-81E2-00AA004AE837}"="Shell Scrap DataHandler"
"{59099400-57FF-11CE-BD94-0020AF85B590}"="Disk Copy Extension"
"{59be4990-f85c-11ce-aff7-00aa003ca9f6}"="Shell extensions for Microsoft Windows Network objects"
"{5DB2625A-54DF-11D0-B6C4-0800091AA605}"="ICM Monitor Management"
"{675F097E-4C4D-11D0-B6C1-0800091AA605}"="ICM Printer Management"
"{764BF0E1-F219-11ce-972D-00AA00A14F56}"="Shell extensions for file compression"
"{77597368-7b15-11d0-a0c2-080036af3f03}"="Web Printer Shell Extension"
"{7988B573-EC89-11cf-9C00-00AA00A14F56}"="Disk Quota UI"
"{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA}"="Encryption Context Menu"
"{85BBD920-42A0-1069-A2E4-08002B30309D}"="Briefcase"
"{88895560-9AA2-1069-930E-00AA0030EBC8}"="HyperTerminal Icon Ext"
"{BD84B380-8CA2-1069-AB1D-08000948F534}"="Fonts"
"{DBCE2480-C732-101B-BE72-BA78E9AD5B27}"="ICC Profile"
"{F37C5810-4D3F-11d0-B4BF-00AA00BBB723}"="Printers Security Page"
"{f81e9010-6ea4-11ce-a7ff-00aa003ca9f6}"="Shell extensions for sharing"
"{f92e8c40-3d33-11d2-b1aa-080036a75b03}"="Display TroubleShoot CPL Extension"
"{7444C717-39BF-11D1-8CD9-00C04FC29D45}"="Crypto PKO Extension"
"{7444C719-39BF-11D1-8CD9-00C04FC29D45}"="Crypto Sign Extension"
"{7007ACC7-3202-11D1-AAD2-00805FC1270E}"="Network Connections"
"{992CFFA0-F557-101A-88EC-00DD010CCC48}"="Network Connections"
"{E211B736-43FD-11D1-9EFB-0000F8757FCD}"="Scanners & Cameras"
"{FB0C9C8A-6C50-11D1-9F1D-0000F8757FCD}"="Scanners & Cameras"
"{905667aa-acd6-11d2-8080-00805f6596d2}"="Scanners & Cameras"
"{3F953603-1008-4f6e-A73A-04AAC7A992F1}"="Scanners & Cameras"
"{83bbcbf3-b28a-4919-a5aa-73027445d672}"="Scanners & Cameras"
"{F0152790-D56E-4445-850E-4F3117DB740C}"="Remote Sessions CPL Extension"
"{1D2680C9-0E2A-469d-B787-065558BC7D43}"="Fusion Cache"
"{60254CA5-953B-11CF-8C96-00AA00B8708C}"="Shell extensions for Windows Script Host"
"{2206CDB2-19C1-11D1-89E0-00C04FD7A829}"="Microsoft Data Link"
"{DD2110F0-9EEF-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Icon Handler"
"{797F1E90-9EDD-11cf-8D8E-00AA0060F5BF}"="Tasks Folder Shell Extension"
"{D6277990-4C6A-11CF-8D87-00AA0060F5BF}"="Scheduled Tasks"
"{0DF44EAA-FF21-4412-828E-260A8728E7F1}"="Taskbar and Start Menu"
"{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}"="Search"
"{2559a1f1-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}"="Help and Support"
"{2559a1f3-21d7-11d4-bdaf-00c04f60b9f0}"="Run..."
"{2559a1f4-21d7-11d4-bdaf-00c04f60b9f0}"="Internet"
"{2559a1f5-21d7-11d4-bdaf-00c04f60b9f0}"="E-mail"
"{D20EA4E1-3957-11d2-A40B-0C5020524152}"="Fonts"
"{D20EA4E1-3957-11d2-A40B-0C5020524153}"="Administrative Tools"
"{875CB1A1-0F29-45de-A1AE-CFB4950D0B78}"="Audio Media Properties Handler"
"{40C3D757-D6E4-4b49-BB41-0E5BBEA28817}"="Video Media Properties Handler"
"{E4B29F9D-D390-480b-92FD-7DDB47101D71}"="Wav Properties Handler"
"{87D62D94-71B3-4b9a-9489-5FE6850DC73E}"="Avi Properties Handler"
"{A6FD9E45-6E44-43f9-8644-08598F5A74D9}"="Midi Properties Handler"
"{c5a40261-cd64-4ccf-84cb-c394da41d590}"="Video Thumbnail Extractor"
"{5E6AB780-7743-11CF-A12B-00AA004AE837}"="Microsoft Internet Toolbar"
"{22BF0C20-6DA7-11D0-B373-00A0C9034938}"="Download Status"
"{91EA3F8B-C99B-11d0-9815-00C04FD91972}"="Augmented Shell Folder"
"{6413BA2C-B461-11d1-A18A-080036B11A03}"="Augmented Shell Folder 2"
"{F61FFEC1-754F-11d0-80CA-00AA005B4383}"="BandProxy"
"{7BA4C742-9E81-11CF-99D3-00AA004AE837}"="Microsoft BrowserBand"
"{30D02401-6A81-11d0-8274-00C04FD5AE38}"="Search Band"
"{32683183-48a0-441b-a342-7c2a440a9478}"="Media Band"
"{169A0691-8DF9-11d1-A1C4-00C04FD75D13}"="In-pane search"
"{07798131-AF23-11d1-9111-00A0C98BA67D}"="Web Search"
"{AF4F6510-F982-11d0-8595-00AA004CD6D8}"="Registry Tree Options Utility"
"{01E04581-4EEE-11d0-BFE9-00AA005B4383}"="&Address"
"{A08C11D2-A228-11d0-825B-00AA005B4383}"="Address EditBox"
"{00BB2763-6A77-11D0-A535-00C04FD7D062}"="Microsoft AutoComplete"
"{7376D660-C583-11d0-A3A5-00C04FD706EC}"="TridentImageExtractor"
"{6756A641-DE71-11d0-831B-00AA005B4383}"="MRU AutoComplete List"
"{6935DB93-21E8-4ccc-BEB9-9FE3C77A297A}"="Custom MRU AutoCompleted List"
"{7e653215-fa25-46bd-a339-34a2790f3cb7}"="Accessible"
"{acf35015-526e-4230-9596-becbe19f0ac9}"="Track Popup Bar"
"{E0E11A09-5CB8-4B6C-8332-E00720A168F2}"="Address Bar Parser"
"{00BB2764-6A77-11D0-A535-00C04FD7D062}"="Microsoft History AutoComplete List"
"{03C036F1-A186-11D0-824A-00AA005B4383}"="Microsoft Shell Folder AutoComplete List"
"{00BB2765-6A77-11D0-A535-00C04FD7D062}"="Microsoft Multiple AutoComplete List Container"
"{ECD4FC4E-521C-11D0-B792-00A0C90312E1}"="Shell Band Site Menu"
"{3CCF8A41-5C85-11d0-9796-00AA00B90ADF}"="Shell DeskBarApp"
"{ECD4FC4C-521C-11D0-B792-00A0C90312E1}"="Shell DeskBar"
"{ECD4FC4D-521C-11D0-B792-00A0C90312E1}"="Shell Rebar BandSite"
"{DD313E04-FEFF-11d1-8ECD-0000F87A470C}"="User Assist"
"{EF8AD2D1-AE36-11D1-B2D2-006097DF8C11}"="Global Folder Settings"
"{EFA24E61-B078-11d0-89E4-00C04FC9E26E}"="Favorites Band"
"{0A89A860-D7B1-11CE-8350-444553540000}"="Shell Automation Inproc Service"
"{E7E4BC40-E76A-11CE-A9BB-00AA004AE837}"="Shell DocObject Viewer"
"{A5E46E3A-8849-11D1-9D8C-00C04FC99D61}"="Microsoft Browser Architecture"
"{FBF23B40-E3F0-101B-8488-00AA003E56F8}"="InternetShortcut"
"{3C374A40-BAE4-11CF-BF7D-00AA006946EE}"="Microsoft Url History Service"
"{FF393560-C2A7-11CF-BFF4-444553540000}"="History"
"{7BD29E00-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{7BD29E01-76C1-11CF-9DD0-00A0C9034933}"="Temporary Internet Files"
"{CFBFAE00-17A6-11D0-99CB-00C04FD64497}"="Microsoft Url Search Hook"
"{A2B0DD40-CC59-11d0-A3A5-00C04FD706EC}"="IE4 Suite Splash Screen"
"{67EA19A0-CCEF-11d0-8024-00C04FD75D13}"="CDF Extension Copy Hook"
"{131A6951-7F78-11D0-A979-00C04FD705A2}"="ISFBand OC"
"{9461b922-3c5a-11d2-bf8b-00c04fb93661}"="Search Assistant OC"
"{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}"="The Internet"
"{871C5380-42A0-1069-A2EA-08002B30309D}"="Internet Name Space"
"{EFA24E64-B078-11d0-89E4-00C04FC9E26E}"="Explorer Band"
"{9E56BE60-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{9E56BE61-C50F-11CF-9A2C-00A0C90A90CE}"="Sendmail service"
"{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"="WebCheck"
"{ABBE31D0-6DAE-11D0-BECA-00C04FD940BE}"="Subscription Mgr"
"{F5175861-2688-11d0-9C5E-00AA00A45957}"="Subscription Folder"
"{08165EA0-E946-11CF-9C87-00AA005127ED}"="WebCheckWebCrawler"
"{E3A8BDE6-ABCE-11d0-BC4B-00C04FD929DB}"="WebCheckChannelAgent"
"{E8BB6DC0-6B4E-11d0-92DB-00A0C90C2BD7}"="TrayAgent"
"{7D559C10-9FE9-11d0-93F7-00AA0059CE02}"="Code Download Agent"
"{E6CC6978-6B6E-11D0-BECA-00C04FD940BE}"="ConnectionAgent"
"{D8BD2030-6FC9-11D0-864F-00AA006809D9}"="PostAgent"
"{7FC0B86E-5FA7-11d1-BC7C-00C04FD929DB}"="WebCheck SyncMgr Handler"
"{352EC2B7-8B9A-11D1-B8AE-006008059382}"="Shell Application Manager"
"{0B124F8F-91F0-11D1-B8B5-006008059382}"="Installed Apps Enumerator"
"{CFCCC7A0-A282-11D1-9082-006008059382}"="Darwin App Publisher"
"{e84fda7c-1d6a-45f6-b725-cb260c236066}"="Shell Image Verbs"
"{66e4e4fb-f385-4dd0-8d74-a2efd1bc6178}"="Shell Image Data Factory"
"{3F30C968-480A-4C6C-862D-EFC0897BB84B}"="GDI+ file thumbnail extractor"
"{9DBD2C50-62AD-11d0-B806-00C04FD706EC}"="Summary Info Thumbnail handler (DOCFILES)"
"{EAB841A0-9550-11cf-8C16-00805F1408F3}"="HTML Thumbnail Extractor"
"{eb9b1153-3b57-4e68-959a-a3266bc3d7fe}"="Shell Image Property Handler"
"{CC6EEFFB-43F6-46c5-9619-51D571967F7D}"="Web Publishing Wizard"
"{add36aa8-751a-4579-a266-d66f5202ccbb}"="Print Ordering via the Web"
"{6b33163c-76a5-4b6c-bf21-45de9cd503a1}"="Shell Publishing Wizard Object"
"{58f1f272-9240-4f51-b6d4-fd63d1618591}"="Get a Passport Wizard"
"{7A9D77BD-5403-11d2-8785-2E0420524153}"="User Accounts"
"{E88DCCE0-B7B3-11d1-A9F0-00AA0060FA31}"="Compressed (zipped) Folder"
"{BD472F60-27FA-11cf-B8B4-444553540000}"="Compressed (zipped) Folder Right Drag Handler"
"{888DCA60-FC0A-11CF-8F0F-00C04FD7D062}"="Compressed (zipped) Folder SendTo Target"
"{f39a0dc0-9cc8-11d0-a599-00c04fd64433}"="Channel File"
"{f3aa0dc0-9cc8-11d0-a599-00c04fd64434}"="Channel Shortcut"
"{f3ba0dc0-9cc8-11d0-a599-00c04fd64435}"="Channel Handler Object"
"{f3da0dc0-9cc8-11d0-a599-00c04fd64437}"="Channel Menu"
"{f3ea0dc0-9cc8-11d0-a599-00c04fd64438}"="Channel Properties"
"{63da6ec0-2e98-11cf-8d82-444553540000}"="FTP Folders Webview"
"{883373C3-BF89-11D1-BE35-080036B11A03}"="Microsoft DocProp Shell Ext"
"{A9CF0EAE-901A-4739-A481-E35B73E47F6D}"="Microsoft DocProp Inplace Edit Box Control"
"{8EE97210-FD1F-4B19-91DA-67914005F020}"="Microsoft DocProp Inplace ML Edit Box Control"
"{0EEA25CC-4362-4A12-850B-86EE61B0D3EB}"="Microsoft DocProp Inplace Droplist Combo Control"
"{6A205B57-2567-4A2C-B881-F787FAB579A3}"="Microsoft DocProp Inplace Calendar Control"
"{28F8A4AC-BBB3-4D9B-B177-82BFC914FA33}"="Microsoft DocProp Inplace Time Control"
"{8A23E65E-31C2-11d0-891C-00A024AB2DBB}"="Directory Query UI"
"{9E51E0D0-6E0F-11d2-9601-00C04FA31A86}"="Shell properties for a DS object"
"{163FDC20-2ABC-11d0-88F0-00A024AB2DBB}"="Directory Object Find"
"{F020E586-5264-11d1-A532-0000F8757D7E}"="Directory Start/Search Find"
"{0D45D530-764B-11d0-A1CA-00AA00C16E65}"="Directory Property UI"
"{62AE1F9A-126A-11D0-A14B-0800361B1103}"="Directory Context Menu Verbs"
"{ECF03A33-103D-11d2-854D-006008059367}"="MyDocs Copy Hook"
"{ECF03A32-103D-11d2-854D-006008059367}"="MyDocs Drop Target"
"{4a7ded0a-ad25-11d0-98a8-0800361b1103}"="MyDocs Properties"
"{750fdf0e-2a26-11d1-a3ea-080036587f03}"="Offline Files Menu"
"{10CFC467-4392-11d2-8DB4-00C04FA31A66}"="Offline Files Folder Options"
"{AFDB1F70-2A4C-11d2-9039-00C04F8EEB3E}"="Offline Files Folder"
"{143A62C8-C33B-11D1-84FE-00C04FA34A14}"="Microsoft Agent Character Property Sheet Handler"
"{ECCDF543-45CC-11CE-B9BF-0080C87CDBA6}"="DfsShell"
"{60fd46de-f830-4894-a628-6fa81bc0190d}"="%DESC_PublishDropTarget%"
"{7A80E4A8-8005-11D2-BCF8-00C04F72C717}"="MMC Icon Handler"
"{0CD7A5C0-9F37-11CE-AE65-08002B2E1262}"=".CAB file viewer"
"{32714800-2E5F-11d0-8B85-00AA0044F941}"="For &People..."
"{8DD448E6-C188-4aed-AF92-44956194EB1F}"="Windows Media Player Play as Playlist Context Menu Handler"
"{CE3FB1D1-02AE-4a5f-A6E9-D9F1B4073E6C}"="Windows Media Player Burn Audio CD Context Menu Handler"
"{F1B9284F-E9DC-4e68-9D7E-42362A59F0FD}"="Windows Media Player Add to Playlist Context Menu Handler"
"{19CC43A1-6925-4B48-B292-830291F393A6}"="HPNSView"
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}"="Shell Extensions for RealOne Player"
"{BDEADF00-C265-11D0-BCED-00A0C90AB50F}"="Web Folders"
"{0006F045-0000-0000-C000-000000000046}"="Microsoft Outlook Custom Icon Handler"
"{42042206-2D85-11D3-8CFF-005004838597}"="Microsoft Office HTML Icon Handler"
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}"="SampleView"
"{E0D79304-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79305-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79306-84BE-11CE-9641-444553540000}"="WinZip"
"{E0D79307-84BE-11CE-9641-444553540000}"="WinZip"
"{5F327514-6C5E-4d60-8F16-D07FA08A78ED}"="Auto Update Property Sheet Extension"
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}"="Share-to-Web Upload Folder"
"{2559a1f7-21d7-11d4-bdaf-00c04f60b9f0}"="Set Program Access and Defaults"
"{596AB062-B4D2-4215-9F74-E9109B0A8153}"="Previous Versions Property Page"
"{9DB7A13C-F208-4981-8353-73CC61AE2783}"="Previous Versions"
"{692F0339-CBAA-47e6-B5B5-3B84DB604E87}"="Extensions Manager Folder"
"{640167b4-59b0-47a6-b335-a6b3c0695aea}"="Portable Media Devices"
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}"="Portable Media Devices Menu"
"{336B02CE-F88A-4aea-8731-79EF94D3723A}"="Free AOL & Unlimited Internet.url"
"{00E7B358-F65B-4dcf-83DF-CD026B94BFD4}"="Autoplay for SlideShow"
"{73B24247-042E-4EF5-ADC2-42F62E6FD654}"="ICQ Lite Shell Extension"
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}"="WinRAR shell extension"
"{18D7FD25-4D7C-11D6-AB9F-8FE66DD3F034}"="Embird Context Menu Handler Interface"
"{A81E778C-14EF-49B0-BC12-E7980ECC51EF}"="Embird Thumbnails Handler Interface"
"{BE0E21B1-AA13-4786-BCB3-0A97F641F23E}"="Embird Property Sheet Handler Interface"
"{21569614-B795-46b1-85F4-E737A8DC09AD}"="Shell Search Band"
"{88C6C381-2E85-11D0-94DE-444553540000}"="ActiveX Cache Folder"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{936F986D-978C-4695-8568-AD6265403962}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{936F986D-978C-4695-8568-AD6265403962}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{936F986D-978C-4695-8568-AD6265403962}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{936F986D-978C-4695-8568-AD6265403962}\InprocServer32]
@="C:\\WINDOWS\\system32\\mytscax.dll"
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{088C1F01-AC61-41F1-A0A5-4E3975432F7F}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{088C1F01-AC61-41F1-A0A5-4E3975432F7F}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{088C1F01-AC61-41F1-A0A5-4E3975432F7F}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{088C1F01-AC61-41F1-A0A5-4E3975432F7F}\InprocServer32]
@="C:\\WINDOWS\\system32\\pjrfdisk.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:



Granting sedebugprivilege to Administrators ... successful


(((((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))

13:47:34.04

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-16 20:40:04 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-06-17 10:47:26 32,768 "C:\WINDOWS\system32\WinDmy.dll"
2006-06-16 20:39:06 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-06-16 20:38:48 81,920 "C:\WINDOWS\system32\msiexec.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 01:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-06-17 10:47:26 303,104 "C:\WINDOWS\system32\WinNB57.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *




DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-16 20:39:06 28,672 "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-16 20:40:04 48,167 "C:\WINDOWS\system32\VSL05.exe"
2006-05-09 22:23:00 151,040 "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 357,888 "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 205,312 "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 251,392 "C:\WINDOWS\system32\iepeers.dll"
2006-06-01 11:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-17 22:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-05-09 22:23:00 16,384 "C:\WINDOWS\system32\jsproxy.dll"
2006-06-16 20:38:48 81,920 "C:\WINDOWS\system32\msiexec.dll"
2006-05-09 22:23:02 39,424 "C:\WINDOWS\system32\pngfilt.dll"
2006-05-14 01:44:08 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 08:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-05-09 22:23:02 474,112 "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:04 658,432 "C:\WINDOWS\system32\wininet.dll"
2006-06-17 10:47:26 303,104 "C:\WINDOWS\system32\WinNB57.dll"
2006-05-09 22:23:00 55,808 "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 96,256 "C:\WINDOWS\system32\inseng.dll"
2006-05-19 08:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-05-09 22:23:02 532,480 "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 613,888 "C:\WINDOWS\system32\urlmon.dll"
2006-06-17 10:47:26 32,768 "C:\WINDOWS\system32\WinDmy.dll"
2006-05-09 22:23:00 1,054,208 "C:\WINDOWS\system32\danim.dll"


((((((((((((((((((((((((((((((((((((((((((((((((((( Ssk's Log ))))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Administrator\Application Data\Sskknwrd.dll
C:\Documents and Settings\Administrator\Application Data\Sskuknwrd.dll
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Ssk.log


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



13:51:19.93
((((((((((((((((((((((((((((((((((((((((((((((( Other Deletions ))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\defender26.exe
C:\drsmartload1.exe
C:\drsmartload45a.exe
C:\drsmartload46a.exe
C:\drsmartload849a.exe
C:\newname25.exe
C:\keyboard25.exe
C:\WINDOWS\drsmartload2.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\teller2.chk
C:\MTE3NDI6ODoxNg.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\Program Files\network monitor
C:\Documents and Settings\LocalService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-17 13:44:16 377 ( A.... ) "C:\Program Files\Common Files\hore"
2006-06-17 12:43:42 ( .D... ) "C:\Program Files\ipwins"
2006-06-17 12:23:58 ( .D... ) "C:\Program Files\TClock"
2006-06-17 12:23:56 ( .D... ) "C:\Program Files\InetGet2"
2006-06-17 10:52:18 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-06-17 10:47:26 303104 ( A.... ) "C:\WINDOWS\system32\WinNB57.dll"
2006-06-17 10:47:26 32768 ( A.... ) "C:\WINDOWS\system32\WinDmy.dll"
2006-06-17 01:50:26 ( .D... ) "C:\Program Files\webHancer"
2006-06-17 01:50:26 ( .D... ) "C:\Program Files\Common Files\svchostsys"
2006-06-17 01:50:26 ( .D... ) "C:\Program Files\Common Files\simtest"
2006-06-17 01:50:26 ( .D... ) "C:\Program Files\Common Files\misc001"
2006-06-17 00:52:22 30208 ( A.... ) "C:\SS1001.exe"
2006-06-17 00:52:22 ( .D... ) "C:\Program Files\Common Files\furf"
2006-06-17 00:52:20 139264 ( A.... ) "C:\WINDOWS\sys02471376676-1.exe"
2006-06-17 00:52:18 36608 ( A.... ) "C:\WINDOWS\nem220.dll"
2006-06-17 00:52:18 14848 ( A.... ) "C:\stub_113_4_0_4_0.exe"
2006-06-17 00:52:16 232749 ( A.... ) "C:\WINDOWS\pf78.exe"
2006-06-17 00:52:16 52104 ( A.... ) "C:\WINDOWS\pf79.exe"
2006-06-17 00:52:14 32768 ( A.... ) "C:\WINDOWS\jqxxgqsk.exe"
2006-06-17 00:52:10 467968 ( A.... ) "C:\visfx500.exe"
2006-06-17 00:51:58 45074 ( A.... ) "C:\WINDOWS\system32\pqdsregm.exe"
2006-06-17 00:51:56 45059 ( A.... ) "C:\ZIGID003.exe"
2006-06-16 21:23:50 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-16 21:13:00 32768 ( A.... ) "C:\WINDOWS\vfumehnu.exe"
2006-06-16 21:08:02 32768 ( A.... ) "C:\WINDOWS\kctyfaro.exe"
2006-06-16 21:03:38 32768 ( A.... ) "C:\WINDOWS\gealddah.exe"
2006-06-16 20:55:12 32768 ( A.... ) "C:\WINDOWS\vvlahskc.exe"
2006-06-16 20:42:08 1392640 ( A.... ) "C:\WINDOWS\cfg32a.exe"
2006-06-16 20:42:04 102400 ( A.... ) "C:\WINDOWS\cfg32r.dll"
2006-06-16 20:42:02 110592 ( A.... ) "C:\WINDOWS\cfg32o.dll"
2006-06-16 20:42:00 45056 ( A.... ) "C:\WINDOWS\cfg32s.dll"
2006-06-16 20:40:48 33012 ( A.... ) "C:\WINDOWS\system32\tpuninstall.exe"
2006-06-16 20:40:46 397312 ( A.... ) "C:\WINDOWS\cfg32p.dll"
2006-06-16 20:40:10 20480 ( A.... ) "C:\stub_sca3.exe"
2006-06-16 20:40:08 29251 ( A.... ) "C:\mc-110-12-0000228.exe"
2006-06-16 20:40:04 48167 ( A.... ) "C:\WINDOWS\system32\VSL05.exe"
2006-06-16 20:39:48 174669 ( A.... ) "C:\WINDOWS\srvqdohaxb.exe"
2006-06-16 20:39:32 362496 ( A.... ) "C:\526_620.exe"
2006-06-16 20:39:06 28672 ( A.... ) "C:\WINDOWS\system32\gbe90qs.exe"
2006-06-16 20:39:00 139264 ( A.... ) "C:\WINDOWS\win32106-147137667.exe"
2006-06-16 20:39:00 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-06-16 20:39:00 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-06-16 20:39:00 24576 ( A.... ) "C:\WINDOWS\system32ssec.exe"
2006-06-16 20:38:58 28672 ( A.... ) "C:\WINDOWS\system32\ftuninst.exe"
2006-06-16 20:38:52 2 ( A.... ) "C:\WINDOWS\system32\wnsintsv.exe"
2006-06-16 20:38:48 81920 ( A.... ) "C:\WINDOWS\system32\msiexec.dll"
2006-06-16 20:38:46 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-06-16 20:38:46 928 ( A.... ) "C:\WINDOWS\system32\nt68rrtc12.sys"
2006-06-16 20:38:24 45056 ( A.... ) "C:\wd7gi8n.exe"
2006-06-16 20:37:56 159865 ( A.... ) "C:\WINDOWS\system32\kwinrqez.exe"
2006-06-16 20:37:56 48190 ( A.... ) "C:\VSL02.exe"
2006-06-16 20:37:48 310122 ( A.... ) "C:\Trelew.exe"
2006-06-16 20:36:58 ( .D... ) "C:\Program Files\Windows"
2006-06-16 20:36:58 ( .D... ) "C:\Program Files\Common Files\InetGet"
2006-06-16 20:36:52 ( .D... ) "C:\Program Files\Common Files\Download"
2006-06-15 21:03:46 ( .D... ) "C:\Program Files\Stomp"
2006-06-15 19:32:56 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\LimeWire"
2006-06-11 12:39:42 ( .D... ) "C:\Program Files\Pando Networks"
2006-06-08 18:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-01 11:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-30 16:19:18 2088960 ( A.... ) "C:\WINDOWS\cfg32.exe"
2006-05-30 16:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-29 08:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-19 08:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-18 21:11:34 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Incredible Ink"
2006-05-17 22:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-17 11:23:38 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-05-15 15:00:38 ( .D... ) "C:\Program Files\ASCII"
2006-05-15 14:57:06 ( .D... ) "C:\Program Files\RPGMaker 2000"
2006-05-14 01:44:08 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-05-11 01:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-10 03:11:22 12288 ( A.... ) "C:\Program Files\Common Files\hore.dll"
2006-05-09 23:34:38 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-05-09 22:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-09 22:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 22:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-09 22:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-09 22:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-09 22:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-09 22:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-09 22:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-09 22:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-09 22:23:00 55808 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-05-06 21:04:48 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Nology"
2006-05-02 14:45:22 57344 ( A.... ) "C:\WINDOWS\system32\SDRunner.dll"
2006-04-30 14:37:14 ( .D... ) "C:\Program Files\Security Task Manager"
2006-04-29 20:52:20 ( .D... ) "C:\Program Files\Microsoft Games"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-04-26 21:46:24 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\PlayFirst"
2006-04-26 21:46:10 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Mind Control Software"
2006-04-26 17:08:20 101792 ( A.... ) "C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT"
2006-04-26 14:49:54 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Wildfire"
2006-04-25 02:20:12 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\funkitron"
2006-04-21 14:09:36 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Blippy Games"
2006-03-17 02:07:18 679424 ( A.... ) "C:\WINDOWS\system32\inetcomm.dll"
2006-01-30 23:35:26 2054 ( A.... ) "C:\Program Files\INSTALL.LOG"
2004-08-18 16:01:24 2931712 ( A..H. ) "C:\Program Files\BOOTIMG.BIN"
2004-08-18 16:00:32 2048 ( A..H. ) "C:\Program Files\BOOTCAT.BIN"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"QuickFinder Scheduler"="\"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Programs\\QFSCHD100.EXE\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"win32106-147137667"="C:\\WINDOWS\\win32106-147137667.exe"
"cohcfsoA"="C:\\WINDOWS\\cohcfsoA.exe"
"w1f8758a.dll"="RUNDLL32.EXE w1f8758a.dll,I2 0015d7f701f8758a"
"Configuration Manager"="C:\\WINDOWS\\cfg32.exe"
"{C9-92-2D-DC-ZN}"="C:\\windows\\system32\\pqdsregm.exe GID003"
"TheMonitor"="C:\\WINDOWS\\SYSC00.exe"
"sys02471376676-1"="C:\\WINDOWS\\sys02471376676-1.exe"
"BrowserUpdateSched"="C:\\WINDOWS\\system32\\kwinrqez.exe GID003"
"webHancer Agent"="C:\\Program Files\\webHancer\\Programs\\whagent.exe"
"webHancer Survey Companion"="C:\\Program Files\\webHancer\\Programs\\whsurvey.exe"
"IpWins"="C:\\Program Files\\ipwins\\ipwins.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"
"sys_up1"="C:\\Program Files\\Common Files\\svchostsys\\svchostsys.exe"
"TClock.exe"="C:\\Program Files\\TClock\\tclock_install.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"WinUpdate.exe"="C:\\Program Files\\Windows\\WinUpdate.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{00DBDAC8-4691-4797-8E6A-7C6AB89BC441}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Zeno.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Zeno.lnk"
"backup"="C:\\WINDOWS\\pss\\Zeno.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\kwinrqez.exe GID003"
"item"="Zeno"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Z_Start.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Z_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\Z_Start.lnkStartup"
"location"="Startup"
"command"="C:\\ZIGID003.exe GID003"
"item"="Z_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Grouper.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Grouper.lnk"
"backup"="C:\\WINDOWS\\pss\\Grouper.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\Grouper\\Grouper.exe -s"
"item"="Grouper"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winlog"
"hkey"="HKLM"
"command"="winlog.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIModeChange]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ati2mdxx"
"hkey"="HKLM"
"command"="Ati2mdxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AXVenore]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AXVenore"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\AXVenore\\AXVenore.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BrowserUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kwinrqez"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\kwinrqez.exe GID003"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ccRegVfy"
"hkey"="HKLM"
"command"="\"c:\\Program Files\\Common Files\\Symantec Shared\\ccRegVfy.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="defender26"
"hkey"="HKLM"
"command"="C:\\\\defender26.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DW4]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DesktopWeather"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\The Weather Channel FW\\Desktop Weather\\DesktopWeather.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\furf]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="furfm"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\COMMON~1\\furf\\furfm.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyboard25"
"hkey"="HKLM"
"command"="C:\\\\keyboard25.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???????????????"
"hkey"="HKCU"
"command"="???????????????"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LTMSG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LTMSG"
"hkey"="HKLM"
"command"="LTMSG.exe 7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mnyexpr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MyWebSearch Email Plugin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mwsoemon"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\MYWEBS~1\\bar\\8.bin\\mwsoemon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="newname25"
"hkey"="HKLM"
"command"="C:\\\\newname25.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\outlook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="outlook"
"hkey"="HKLM"
"command"="C:\\Program Files\\outlook\\outlook.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PECarlin]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PECarlin"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PECarlin\\PECarlin.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RecordNow!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKCU"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
"key"="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows"
"item"="???????????????"
"hkey"="HKCU"
"command"="???????????????"
"inimapping"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware Vanisher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="FreeScanner"
"hkey"="HKCU"
"command"="c:\\spywarevanisher-free\\FreeScanner.exe -FastScan"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebRebates]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WebRebates\""
"hkey"="HKLM"
"command"="javaw -cp \"C:\\Program Files\\WebRebates\\System\\Code\" Main lp: \"C:\\Program Files\\WebRebates\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\websearch]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="websearch\""
"hkey"="HKLM"
"command"="javaw -cp \"C:\\Program Files\\websearch\\System\\Code\" Main lp: \"C:\\Program Files\\websearch\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsupdater]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winsupdater"
"hkey"="HKLM"
"command"="C:\\Program Files\\winsupdater\\winsupdater.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winupdates]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winupdates"
"hkey"="HKLM"
"command"="C:\\Program Files\\winupdates\\winupdates.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=dword:00000002


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FOLDER.TSX
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sat 06/17/2006 13:51:24.39
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt

My next 2 logs will be in the next post because they would be too big to put all in one post.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-17-2006, 09:01 PM   #6 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Here is the log for Dr. Web:

mc-110-12-0000228.exe;C:\;Trojan.DownLoader.10320;Incurable.Moved.;
ZIGID003.exe;C:\;Adware.ZenoSearch;Incurable.Moved.;
mc-110-12-0000228.exe;C:\Documents and Settings\Administrator\DoctorWeb\Quarantine;Trojan.DownLoader.10320;Incurable.Moved.;
backup-20051205-215754-278.dll;C:\Documents and Settings\Administrator\My Documents\HJT\backups;Adware.QuickBar;Incurable.Moved.;
backup-20060617-140906-173.dll;C:\Documents and Settings\Administrator\My Documents\HJT\backups;Adware.Mirarbar;Incurable.Moved.;
backup-20060617-140906-375.dll;C:\Documents and Settings\Administrator\My Documents\HJT\backups;Adware.WebHancer;Incurable.Moved.;
backup-20060617-140906-665.dll;C:\Documents and Settings\Administrator\My Documents\HJT\backups;Adware.BookedSpace;Incurable.Moved.;
backup-20060617-140906-713.dll;C:\Documents and Settings\Administrator\My Documents\HJT\backups;Adware.BookedSpace;Incurable.Moved.;
Terminator.exe;C:\hp\bin;Trojan.KillApp.30208;Deleted.;
mc-110-12-0000137.exe;C:\Program Files\Common Files\Download;Trojan.DownLoader.9894;Incurable.Moved.;
furfc.dll;C:\Program Files\Common Files\furf\furfd;Adware.TargetServer;Incurable.Moved.;
sysstall.exe;C:\Program Files\Common Files\simtest;Trojan.Starter.62;Deleted.;
howy.html\Javascript.0;C:\Program Files\MSN Gaming Zone\howy.html;Trojan.Click.1237;;
howy.html;C:\Program Files\MSN Gaming Zone;Archive contains infected objects;Moved.;
wWinUpdate.exe;C:\Program Files\Windows;Trojan.DownLoader.9894;Deleted.;
kyzesequ.html\Javascript.0;C:\Program Files\Windows Media Player\kyzesequ.html;Trojan.Click.1237;;
kyzesequ.html;C:\Program Files\Windows Media Player;Archive contains infected objects;Moved.;
A0136576.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136590.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Adware.SpywareStorm;Incurable.Moved.;
A0136602.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136619.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136803.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136825.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136846.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136866.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136906.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136907.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.MyBot;Deleted.;
A0136921.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Trojan.FakeSetup;Deleted.;
A0136922.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP788;Win32.HLLW.Bropia;Deleted.;
A0138425.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP806;Win32.HLLW.MyBot;Deleted.;
A0138660.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP806;Win32.HLLW.MyBot;Deleted.;
A0141884.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP824;Adware.Comet;Incurable.Moved.;
A0142545.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP831;Win32.HLLW.MyBot;Deleted.;
A0142586.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP831;Trojan.MulDrop.3290;Deleted.;
A0142587.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP831;Win32.HLLW.MyBot;Deleted.;
A0142669.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP833;Probably DLOADER.Trojan;Incurable.Moved.;
A0143521.rbf;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP840;Probably WIN.WORM.Virus;Incurable.Moved.;
A0144943.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP846;Trojan.MulDrop.3290;Deleted.;
A0145265.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9440;Deleted.;
A0145269.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9440;Deleted.;
A0145270.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Win32.HLLW.Bropia;Deleted.;
A0145272.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;BackDoor.Generic.1219;Deleted.;
A0145273.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;BackDoor.Generic.1219;Deleted.;
A0145274.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Modification of BackDoor.Generic.987;Moved.;
A0145275.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Nexus;Incurable.Moved.;
A0145276.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Dh;Incurable.Moved.;
A0145277.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0145278.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0145279.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0145280.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.NewDotNet;Incurable.Moved.;
A0145281.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.NewDotNet;Incurable.Moved.;
A0145282.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Probably MULDROP.Trojan;Incurable.Moved.;
A0145291.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0145306.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Click.1211;Deleted.;
A0146277.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Win32.HLLW.MyBot;Deleted.;
A0146280.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0147277.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Win32.HLLW.MyBot;Deleted.;
A0147280.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0148278.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Win32.HLLW.MyBot;Deleted.;
A0148280.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0149290.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.TargetServer;Incurable.Moved.;
A0149291.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.TargetServer;Incurable.Moved.;
A0149292.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.5289;Deleted.;
A0149293.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.TargetServer;Incurable.Moved.;
A0149294.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.TargetServer;Incurable.Moved.;
A0149300.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Yavak;Incurable.Moved.;
A0149305.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Yavak;Incurable.Moved.;
A0149448.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Dyfuca;Deleted.;
A0149449.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Qoologic;Deleted.;
A0149450.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.8290;Deleted.;
A0149451.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Win32.HLLW.MyBot;Deleted.;
A0149452.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Qoologic;Deleted.;
A0149453.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.5013;Deleted.;
A0149454.EXE;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.NewDotNet;Incurable.Moved.;
A0149455.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.MulDrop.2785;Deleted.;
A0149456.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Casclient;Incurable.Moved.;
A0149457.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.6298;Deleted.;
A0149458.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DnsChange;Deleted.;
A0149459.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Casclient;Incurable.Moved.;
A0149460.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0149462.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Win32.HLLW.Bropia;Deleted.;
A0149463.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Surfside;Incurable.Moved.;
A0149464.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.TargetServer;Incurable.Moved.;
A0149465.exe\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149465.exe;Trojan.Popuper;;
A0149465.exe\data002;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149465.exe;Trojan.Popuper;;
A0149465.exe\data004;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149465.exe;Trojan.Dyfuca;;
A0149465.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Archive contains infected objects;Moved.;
A0149466.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Look2me;Incurable.Moved.;
A0149467.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.MulDrop.2785;Deleted.;
A0149469.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Popuper;Deleted.;
A0149470.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Proxy.493;Deleted.;
A0149471.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Proxy.493;Deleted.;
A0149472.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.5013;Deleted.;
A0149473.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.NewDotNet;Incurable.Moved.;
A0149474.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.NewDotNet;Incurable.Moved.;
A0149475.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Dyfuca;Deleted.;
A0149476.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Enbrow;Incurable.Moved.;
A0149477.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WildMedia;Incurable.Moved.;
A0149478.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.8933;Deleted.;
A0149479.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.ZenoSearch;Incurable.Moved.;
A0149480.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WildMedia;Incurable.Moved.;
A0149481.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Qoologic;Deleted.;
A0149482.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Qoologic;Deleted.;
A0149483.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WildMedia;Incurable.Moved.;
A0149484.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.ZenoSearch;Incurable.Moved.;
A0149485.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Qoologic;Deleted.;
A0149486.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Lc;Incurable.Moved.;
A0149487.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Win32.HLLW.MyBot;Deleted.;
A0149488.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.ZenoSearch;Incurable.Moved.;
A0149489.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Click.1166;Deleted.;
A0149491.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Look2me;Incurable.Moved.;
A0149492.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.ZenoSearch;Incurable.Moved.;
A0149495.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Probably DLOADER.Trojan;Incurable.Moved.;
A0149497.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0149499.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0149506.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Qoologic;Deleted.;
A0149507.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Look2me;Incurable.Moved.;
A0149508.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Look2me;Incurable.Moved.;
A0149516.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0149521.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Popuper;Deleted.;
A0149527.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Qoologic;Deleted.;
A0149528.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;BackDoor.Generic.1219;Deleted.;
A0149529.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Modification of BackDoor.Generic.987;Moved.;
A0149538.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0149551.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0149557.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Surfside;Incurable.Moved.;
A0149558.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Surfside;Incurable.Moved.;
A0149561.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Probably MULDROP.Trojan;Incurable.Moved.;
A0149568.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0149573.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Click.1211;Deleted.;
A0149578.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Casclient;Incurable.Moved.;
A0149580.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.FContext;Incurable.Moved.;
A0149582.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.Dyfuca;Deleted.;
A0149584.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.Newads;Incurable.Moved.;
A0150569.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0150581.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0150582.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0150583.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Adware.WebHancer;Incurable.Moved.;
A0150591.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0150611.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0150635.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849;Trojan.DownLoader.9894;Deleted.;
A0151634.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.9894;Deleted.;
A0151674.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Click.1227;Deleted.;
A0151675.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.DollarRevenue;Incurable.Moved.;
A0151676.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.DollarRevenue;Incurable.Moved.;
A0151677.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.DollarRevenue;Incurable.Moved.;
A0151678.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.DollarRevenue;Incurable.Moved.;
A0151679.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.10206;Deleted.;
A0151680.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.10308;Deleted.;
A0151681.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.5013;Deleted.;
A0151694.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.9894;Deleted.;
A0151757.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DnsChange;Deleted.;
A0151781.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.9894;Deleted.;
A0151808.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Dyfuca;Deleted.;
A0151809.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.BookedSpace;Incurable.Moved.;
A0151810.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.Mirarbar;Incurable.Moved.;
A0151811.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.BookedSpace;Incurable.Moved.;
A0151812.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.Dh;Incurable.Moved.;
A0151822.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.9894;Deleted.;
A0151838.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Probably DLOADER.Trojan;Incurable.Moved.;
A0151839.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.WebHancer;Incurable.Moved.;
A0151840.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.WebHancer;Incurable.Moved.;
A0151888.exe\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151888.exe;Adware.BookedSpace;;
A0151888.exe\data003;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151888.exe;Adware.BookedSpace;;
data004\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151888.exe\data004;Adware.BookedSpace;;
data004\data003;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151888.exe\data004;Adware.BookedSpace;;
data004\data004;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151888.exe\data004;Adware.BookedSpace;;
data004;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151888.exe;Archive contains infected objects;;
A0151888.exe\data005;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151888.exe;Adware.BookedSpace;;
A0151888.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Archive contains infected objects;Moved.;
A0151889.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Popuper;Deleted.;
A0151890.exe\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe;Adware.BookedSpace;;
A0151890.exe\data003;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe;Adware.BookedSpace;;
data004\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe\data004;Adware.BookedSpace;;
data004\data003;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe\data004;Adware.BookedSpace;;
data004\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe\data004\data004;Adware.BookedSpace;;
data004\data003;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe\data004\data004;Adware.BookedSpace;;
data004\data004;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe\data004\data004;Adware.BookedSpace;;
data004;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe\data004;Archive contains infected objects;;
data004\data005;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe\data004;Adware.BookedSpace;;
data004;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe;Archive contains infected objects;;
A0151890.exe\data005;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151890.exe;Adware.BookedSpace;;
A0151890.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Archive contains infected objects;Moved.;
A0151891.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.Enbrow;Incurable.Moved.;
A0151892.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Modification of BackDoor.Generic.987;Moved.;
A0151893.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.ZenoSearch;Incurable.Moved.;
A0151894.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.ClickSpring;Incurable.Moved.;
A0151895.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Popuper;Deleted.;
A0151897.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.BookedSpace;Incurable.Moved.;
A0151898.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.BookedSpace;Incurable.Moved.;
A0151899.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.BookedSpace;Incurable.Moved.;
A0151900.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Modification of BackDoor.Generic.987;Moved.;
A0151902.dll;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.WebHancer;Incurable.Moved.;
A0151907.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.10155;Incurable.Moved.;
A0151909.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.10155;Incurable.Moved.;
A0151912.exe\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151912.exe;Trojan.Popuper;;
A0151912.exe\data002;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151912.exe;Trojan.Popuper;;
A0151912.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Archive contains infected objects;Moved.;
A0151913.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.Surfside;Incurable.Moved.;
A0151914.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.TargetServer;Incurable.Moved.;
A0151915.exe\data001;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151915.exe;Trojan.Popuper;;
A0151915.exe\data002;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151915.exe;Trojan.Popuper;;
A0151915.exe\data004;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151915.exe;Trojan.Dyfuca;;
A0151915.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Archive contains infected objects;Moved.;
A0151916.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.3945;Deleted.;
A0151917.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.5289;Deleted.;
A0151918.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.TargetServer;Incurable.Moved.;
A0151919.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.TargetServer;Incurable.Moved.;
A0151920.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Adware.TargetServer;Incurable.Moved.;
A0151921.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Popuper;Deleted.;
A0151922.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Dyfuca;Deleted.;
A0151924.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Click.1166;Deleted.;
A0151926.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.10320;Incurable.Moved.;
A0151927.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.KillApp.30208;Deleted.;
A0151928.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.9894;Incurable.Moved.;
A0151929.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.Starter.62;Deleted.;
A0151930.exe;C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850;Trojan.DownLoader.9894;Deleted.;
876056.exe;C:\WINDOWS;Adware.Mirarbar;Incurable.Moved.;
asappsrv.dll;C:\WINDOWS\IA;Trojan.Proxy.493;Deleted.;
command.exe;C:\WINDOWS\IA;Trojan.Proxy.493;Deleted.;
gbe90qs.exe;C:\WINDOWS\system32;Adware.Yavak;Incurable.Moved.;
PDF0586.dll;C:\WINDOWS\system32;Adware.SafeGuard;Incurable.Moved.;
pqdsregm.exe;C:\WINDOWS\system32;Adware.ZenoSearch;Incurable.Moved.;
Runner.dll;C:\WINDOWS\system32;Adware.FCAdvice;Incurable.Moved.;
WinATS.dll;C:\WINDOWS\system32;Adware.Mirarbar;Incurable.Moved.;

And lastly here is the Panda Activescan log:


Incident Status Location

Adware:Adware/NewAds Not disinfected C:\Program Files\CleanUp!\readme.exe
Adware:Adware/MaxFiles Not disinfected C:\Program Files\ipwins\ipwins.exe
Adware:adware/sqwire Not disinfected c:\windows\system32\tsuninst.exe
Adware:adware/dollarrevenue Not disinfected c:\VSL02.exe
Adware:adware/maxifiles Not disinfected c:\program files\common files\Download
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/popper Not disinfected Windows Registry
Adware:adware/popupdefence Not disinfected Windows Registry
Adware:adware/webhancer Not disinfected Windows Registry
Adware:adware/bookedspace Not disinfected Windows Registry
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976E-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/powerstrip Not disinfected Windows Registry
Adware:adware/mirar Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/quickbar Not disinfected Windows Registry
Adware:adware/stiebar Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Adware:adware/gator Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Spyware:Cookie/YieldManager Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt
Spyware:Cookie/nCase Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@banners.searchingbooth[1].txt
Spyware:Cookie/RealMedia Not disinfected C:\Documents and Settings\Administrator\Cookies\administrator@realmedia[2].txt
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\876056.exe
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0141884.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145277.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145278.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145279.dll
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145280.dll
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145281.dll
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145282.dll
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149294.dll
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149454.EXE
Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149456.dll
Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149459.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149460.exe
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149466.exe
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149473.exe
Spyware:Spyware/New.net Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149474.exe
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149477.dll
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149479.exe
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149480.dll
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149483.dll
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149484.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149488.exe
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149491.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149492.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149495.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149497.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149499.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149507.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149508.dll
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149557.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149558.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149561.dll
Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149578.exe
Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149580.exe
Spyware:Spyware/SurfSideKick Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149584.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0150581.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0150582.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0150583.dll
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151810.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151838.exe
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151839.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151840.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151893.exe
Adware:Adware/PurityScan Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151894.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151902.dll
Virus:Trj/Clicker.QE Disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151907.exe
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151926.exe
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151928.exe
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060617-140906-173.dll
Adware:Adware/WebHancer Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060617-140906-375.dll
Adware:Adware/Sqwire Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\furfc.dll
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000137.exe
Adware:Adware/NewAds Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000220.exe
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\pqdsregm.exe
Adware:Adware/FCHelp Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\Runner.dll
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\WinATS.dll
Adware:Adware/Mirar Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\WinDmy.dll
Adware:Adware/Zenosearch Not disinfected C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\ZIGID003.exe
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Administrator\Local Settings\Temp\nsw5.tmp\nsProcess.dll
Adware:Adware/Look2Me Not disinfected C:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20051205-215754-826.dll
Spyware:Cookie/Enhance Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt
Spyware:Cookie/GoClick Not disinfected C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt
Potentially unwanted tool:Application/HideWindow.A Not disinfected C:\hp\bin\FondleWindow.exe
Potentially unwanted tool:Application/KillApp.B Not disinfected C:\hp\bin\KillIt.exe
Adware:Adware/WebHancer Not disinfected C:\Program Files\Common Files\misc001\webhc1.exe[whAgent.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\Common Files\misc001\webhc1.exe[whInstaller.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\Common Files\misc001\webhc1.exe[whSurvey.exe]
Adware:Adware/WebHancer Not disinfected C:\Program Files\Common Files\misc001\webhc1.exe[webhdll.dll]
Adware:Adware/WebHancer Not disinfected C:\Program Files\Common Files\misc001\webhc1.exe[whiehlpr.dll]
Adware:Adware/DollarRevenue Not disinfected C:\Program Files\ipwins\Uninst.exe[²ÜÇ\nsProcess.dll]
Adware:Adware/NewAds Not disinfected C:\Program Files\Windows\WinUpdate.exe
Adware:Adware/PurityScan Not disinfected C:\Trelew.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\IA\KE.vbs
Virus:Trj/Downloader.HPZ Not disinfected C:\WINDOWS\pf78.exe[pms111x.exe]
Virus:Trj/VB.MC Not disinfected C:\WINDOWS\pf78.exe[SYSC00.exe]
Adware:Adware/FCHelp Not disinfected C:\WINDOWS\srvqdohaxb.exe[PECarlin.exe]
Adware:Adware/NewAds Not disinfected C:\WINDOWS\system32\tpuninstall.exe
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\VSL05.exe[VSL.dl_]
Adware:Adware/Deskwizz Not disinfected C:\WINDOWS\system32\VSL05.exe[auxe.exe]
There are all the logs, I await your response, thanks in advance.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 02:18 AM   #7 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Where is the log produced by the BFU? The logs seems to indicate that either you failed/forgot to run it or something else prevented it from running properly. If so, I'm terribly dissapointed as this throws the sequence of the fix out-of-sync & will most likely trigger a re-infection.

It's important that you follow the sequence strictly

For this pass, I shall require you to run the BFU again (please refer to previous instructions)


You will need to update Ewido to the latest definition files.
Launch Ewido & click Update from the left pane
Then click on Start Update.
If you are having problems with the updater, you can use this link to manually update Ewido
When you have finished updating, EXIT Ewido.

Please download the file attached - regdel.zip
Keep it for use in SafeMode


* * * * * * * *


Reboot to Safe Mode to carry out these directions


* * * * * * UN-INSTALLING PROGRAMS * * * * * * * * * * * * * *


Go to Start -> Control Panel -> Add or Remove Programs and uninstall the following programs:
  • AXVenore
    Internet Optimizer
    PECarlin
    TClock
    WebRebates
    websearch
    spywarevanisher-free

* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O2 - BHO: CExtension Object - {0019C3E2-DD48-4A6D-ABCD-8D32436323D9} - C:\WINDOWS\cfg32p.dll (file missing)
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll (file missing)
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O3 - Toolbar: Search - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\WINDOWS\cfg32s.dll (file missing)
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKCU\..\Run: [TClock.exe] C:\Program Files\TClock\tclock_install.exe


* * * * * * BATCHES / REG FIXES * * * * * * * * * * * * * * * * *


From within regdel.zip, doubleclick regdel.reg & permit it to merge into the registry



* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools -> Folder Options -> View tab.
  • Tick - 'Show hidden files and folder'
  • Untick - 'Hide file extensions for known types'
  • Untick - 'Hide protected operating system files'
  • Click Yes to confirm & then click OK
Locate and delete the following files/folders: (let me know if you fail to find/delete any)
  • C:\526_620.exe
    C:\mc-110-12-0000228.exe
    C:\Program Files\AXVenore\
    C:\Program Files\CleanUp!\readme.exe
    C:\Program Files\Common Files\Download\
    C:\Program Files\Common Files\furf\
    C:\Program Files\Common Files\furf\
    C:\Program Files\Common Files\InetGet\
    C:\Program Files\Common Files\misc001\
    C:\Program Files\Common Files\simtest\
    C:\Program Files\Common Files\svchostsys\
    C:\Program Files\InetGet2\
    C:\Program Files\Internet Optimizer\
    C:\Program Files\ipwins
    C:\Program Files\outlook\
    C:\Program Files\PECarlin\
    C:\Program Files\TClock
    C:\Program Files\WebRebates\
    C:\Program Files\websearch\
    C:\Program Files\Windows\
    C:\Program Files\winsupdater\
    c:\spywarevanisher-free\
    C:\SS1001.exe
    C:\stub_113_4_0_4_0.exe
    C:\stub_sca3.exe
    C:\Trelew.exe
    C:\visfx500.exe
    C:\VSL02.exe
    C:\wd7gi8n.exe
    C:\WINDOWS\gealddah.exe
    C:\WINDOWS\IA\
    C:\WINDOWS\kctyfaro.exe
    C:\WINDOWS\pf78.exe
    C:\WINDOWS\pf79.exe
    C:\WINDOWS\srvqdohaxb.exe
    C:\WINDOWS\system32\ftuninst.exe
    C:\WINDOWS\system32\gbe90qs.exe
    C:\WINDOWS\system32\nt68rrtc12.sys
    C:\WINDOWS\system32\SDRunner.dll
    C:\WINDOWS\system32\tpuninstall.exe
    C:\WINDOWS\system32\tpuninstall.exe
    C:\WINDOWS\system32\VSL05.exe
    C:\WINDOWS\system32\VSL05.exe
    C:\WINDOWS\system32\WinDmy.dll
    C:\WINDOWS\system32\wnsintsv.exe
    C:\WINDOWS\system32ftuninst.exe
    C:\WINDOWS\system32ssec.exe
    C:\WINDOWS\system32tfthot.exe
    C:\WINDOWS\vfumehnu.exe
    C:\WINDOWS\vvlahskc.exe
    C:\ZIGID003.exe

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Delete Cookies
4. Click OK
5. Press the CleanUp! button to start the program.
6. Do NOT reboot/logoff if prompted.

* CleanUp! will not create any backups!!


* * * * * * RUNNING ADDITIONAL SCANNERS * * * * * * * * * * *


Run Ewido with it's updated definitions:(...it's important that all windows must be closed)
  • Click Scanner
  • Click Complete System Scan to begin scanning.
  • Click OK when prompted to clean files
With the first file it prompts to clean, select the option:
  • "Perform action on all infections"
  • .Choose clean and click OK.
Once finished, click the Save report button & save the report to your desktop


* * * * * * REBOOT TO NORMAL MODE * * * * * * * * * * * * * *


Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.
  • The program will then begin downloading the latest definition files.
  • Once the files have been downloaded click on NEXT
  • Locate the Scan Settings button & configure to:
    • Scan using the following Anti-Virus database:
      • Extended
    • Scan Options:
      • Scan Archives
      • Scan Mail Bases
  • Click OK & have it scan My Computer
  • Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
  • Click the Save as Text button to save the file to your desktop so that you may post it in your next reply
* Turn off the real time scanner of any existing antivirus program while performing the online scan


* * * * * * CHECK LIST * * * * * * * * * * * * * * * * * * * * *


In your next post, please include fresh logs from:
  • HiJackThis log
  • BFU's log
  • Fresh ComboFix log (done after doing the online scan)
  • Online Scan
  • Ewido
Most importantly, tell me how the machine is behaving now. If you did it right, it will be working well. :)
__________________

Question - what have you done for the community today?
Last edited by sUBs; 06-25-2006 at 06:27 AM.
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 02:28 AM   #8 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Sorry about not posting the log from BFU, I simply overlooked it. Here is the log from BFU.

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 1:31:09 PM, on 6/17/2006

Script completed.

There I hope this helps. Sorry for overlooking it before, ill make sure that it doesnt happen again.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 02:32 AM   #9 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


No problem mate. Just wanted to ensure that everything is in order.

Please run the BFU again.

Dont worry about it. I'll get you out of this mess. :)
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 10:32 PM   #10 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Okay, here are all the logs that you requested in the order that you requested them in. First of all I will list the file that I could not find when I looked for what you told me to delete.
C:\526_620.exe
C:\mc-110-12-0000228.exe
C:\Program Files\AXVenore\
C:\Program Files\CleanUp!\readme.exe
C:\Program Files\Common Files\InetGet\
C:\Program Files\Common Files\misc001\
C:\Program Files\Common Files\simtest\
C:\Program Files\Common Files\svchostsys\
C:\Program Files\InetGet2\
C:\Program Files\Internet Optimizer\
C:\Program Files\outlook\
C:\Program Files\PECarlin\
C:\Program Files\WebRebates\
C:\Program Files\websearch\
C:\Program Files\winsupdater\
C:\spywarevanisher-free\
C:\ss1001.exe
C:\stub_113_4_0_4_0.exe
C:\visfx500.exe
C:\VSL02.exe
C:\wd7gi8n.exe
C:\WINDOWS\pf79.exe
C:\WINDOWS\system32\gbe90qs.exe
C:\WINDOWS\system32\WinDmy.dll
C:\WINDOWS\system32ssec.exe
C:\ZIGID003.exe

There are the files I couldnt find, as requested. Now onto the logs, this may take 2 posts.

EDIT: I found one of the files that I had originally thought I couldnt find. I was a little confused and thought that the way it was typed meant that I would find it in the system 32 folder. I reliazed that wasnt the case and found the file.

HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 9:29:40 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1127251276609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://coolmom58.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{146CD15B-8821-4A8B-BD6E-00138CEFFAF8}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe

BFU Log:

BFU v1.00.9
Windows XP SP2 (WinNT 5.01.2600 SP2)
Script started at 456 PM, on 6/18/2006

Failed: DllUnregister C:\WINDOWS\DH.dll|1 (file not found)
Failed: ServiceStop Network Monitor (service not found)
Failed: ServiceStop cmdService (service not found)
Failed: ServiceDisable Network Monitor (service not found)
Failed: ServiceDisable cmdService (service not found)
Failed: ServiceDelete Network Monitor (service not found)
Failed: ServiceDelete cmdService (service not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableRegistryTools (key not found)
Failed: RegDelValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System|DisableTaskMgr (key not found)
Failed: RegDelValue HKCU\System\CurrentControlSet\Control\Lsa|p2pnetwork (key not found)
Failed: RegDelValue HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations|LowRiskFileTypes (key not found)
Failed: RegDelValue HKCU\Microsoft\Windows\CurrentVersion\policies\Explorer\Run|WinUpdate.exe (key not found)
Option pause between commands: 300 ms
Option pause between commands: 50 ms
Failed: FolderDelete C:\Program Files\MsConfigs (folder not found)
Failed: FolderDelete C:\Program Files\winupdates (folder not found)
Failed: FolderDelete C:\Program Files\winupdate (folder not found)
Failed: FolderDelete C:\Program Files\winsupdater (folder not found)
Failed: FolderDelete C:\Program Files\MsUpdate (folder not found)
Failed: FolderDelete C:\Program Files\MsMovies (folder not found)
Failed: FolderDelete C:\Program Files\wmplayer (folder not found)
Failed: FolderDelete C:\Program Files\outlook (folder not found)
Failed: FileDelete C:\Program Files\Common Files\Windows\mc-*-*.exe (operation failed)
Failed: FolderDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\AutoIt (operation failed)
Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\IadHide4.dll (operation failed)
Failed: FileDelete C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\~DF302A.tmp (operation failed)
Failed: FolderDelete C:\Program Files\Maxifiles (folder not found)
Failed: FolderDelete C:\Program Files\DNS (folder not found)
Failed: FolderDelete C:\Program Files\EQAdvice (folder not found)
Failed: FolderDelete C:\Program Files\FCAdvice (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd1 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\FreeProd2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\InetGet2 (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\svchostsys (folder not found)
Failed: FolderDelete C:\Program Files\Common Files\VCClient (folder not found)
Failed: FolderDelete C:\Program Files\Network Monitor (folder not found)
Failed: FolderDelete C:\WINDOWS\inet20001 (folder not found)
Failed: FolderDelete C:\Program Files\Update06 (folder not found)
Failed: FolderDelete C:\Program Files\Update03 (folder not found)
Failed: FolderDelete C:\Program Files\Update04 (folder not found)
Failed: FolderDelete C:\Program Files\Update08 (folder not found)
Failed: FolderDelete C:\Program Files\W-Update (folder not found)
Failed: FolderDelete C:\Program Files\Yazzle Sudoku (folder not found)
Failed: FolderDelete C:\Program Files\Cas (folder not found)
Failed: FolderDelete C:\Program Files\CasStub (folder not found)
Failed: FolderDelete C:\Program Files\Cas2Stub (folder not found)
Failed: FolderDelete C:\Program Files\ipwins (operation failed)
Failed: FolderDelete C:\temp (folder not found)
Failed: FolderDelete C:\WINDOWS\mdrive (folder not found)
Failed: FolderDelete C:\Program Files\PECarlin (folder not found)
Failed: FolderDelete C:\Program Files\AXVenore (folder not found)
Failed: FolderDelete C:\Program Files\SDVita (folder not found)
Failed: FileMove C:\WINDOWS\win*-*.exe|C:\bintheredunthat (source file not found)
Script completed.

Fresh Combofix Log (done after online scan)

Start Time= Sun 06/18/2006 21:13:45.90

QuickScan did not find any signs of infected files

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-06-17 13:57:20 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\AVG7"
2006-06-17 13:56:58 ( .D... ) "C:\Program Files\Grisoft"
2006-06-17 13:56:10 ( .D... ) "C:\Program Files\CleanUp!"
2006-06-17 10:52:18 ( .D... ) "C:\Program Files\Common Files\partypoker"
2006-06-16 21:23:50 ( .D... ) "C:\Program Files\Lavasoft"
2006-06-16 20:39:00 45056 ( A.... ) "C:\WINDOWS\system32tfthot.exe"
2006-06-16 20:39:00 28672 ( A.... ) "C:\WINDOWS\system32ftuninst.exe"
2006-06-15 21:03:46 ( .D... ) "C:\Program Files\Stomp"
2006-06-15 19:32:56 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\LimeWire"
2006-06-11 12:39:42 ( .D... ) "C:\Program Files\Pando Networks"
2006-06-08 18:19:50 5967776 ( A.... ) "C:\WINDOWS\system32\MRT.exe"
2006-06-01 11:47:08 163840 ( A.... ) "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 11:47:08 27648 ( A.... ) "C:\WINDOWS\system32\jgpl400.dll"
2006-05-30 16:09:20 24576 ( A.... ) "C:\WINDOWS\Uninstall.exe"
2006-05-29 08:30:34 1494016 ( A.... ) "C:\WINDOWS\system32\shdocvw.dll"
2006-05-19 08:08:32 3052544 ( A.... ) "C:\WINDOWS\system32\mshtml.dll"
2006-05-18 21:11:34 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Incredible Ink"
2006-05-17 22:24:26 450560 ( A.... ) "C:\WINDOWS\system32\jscript.dll"
2006-05-17 11:23:38 579888 ( A.... ) "C:\WINDOWS\system32\LegitCheckControl.dll"
2006-05-15 15:00:38 ( .D... ) "C:\Program Files\ASCII"
2006-05-15 14:57:06 ( .D... ) "C:\Program Files\RPGMaker 2000"
2006-05-14 01:44:08 181248 ( A.... ) "C:\WINDOWS\system32\rasmans.dll"
2006-05-11 01:23:24 24576 ( A.... ) "C:\WINDOWS\system32\xpsp3res.dll"
2006-05-09 23:34:38 98304 ( A.... ) "C:\WINDOWS\system32\CmdLineExt.dll"
2006-05-09 22:23:04 658432 ( A.... ) "C:\WINDOWS\system32\wininet.dll"
2006-05-09 22:23:02 613888 ( A.... ) "C:\WINDOWS\system32\urlmon.dll"
2006-05-09 22:23:02 532480 ( A.... ) "C:\WINDOWS\system32\mstime.dll"
2006-05-09 22:23:02 474112 ( A.... ) "C:\WINDOWS\system32\shlwapi.dll"
2006-05-09 22:23:02 448512 ( A.... ) "C:\WINDOWS\system32\mshtmled.dll"
2006-05-09 22:23:02 146432 ( A.... ) "C:\WINDOWS\system32\msrating.dll"
2006-05-09 22:23:02 39424 ( A.... ) "C:\WINDOWS\system32\pngfilt.dll"
2006-05-09 22:23:00 1054208 ( A.... ) "C:\WINDOWS\system32\danim.dll"
2006-05-09 22:23:00 1022976 ( A.... ) "C:\WINDOWS\system32\browseui.dll"
2006-05-09 22:23:00 357888 ( A.... ) "C:\WINDOWS\system32\dxtmsft.dll"
2006-05-09 22:23:00 251392 ( A.... ) "C:\WINDOWS\system32\iepeers.dll"
2006-05-09 22:23:00 205312 ( A.... ) "C:\WINDOWS\system32\dxtrans.dll"
2006-05-09 22:23:00 151040 ( A.... ) "C:\WINDOWS\system32\cdfview.dll"
2006-05-09 22:23:00 96256 ( A.... ) "C:\WINDOWS\system32\inseng.dll"
2006-05-09 22:23:00 55808 ( ..... ) "C:\WINDOWS\system32\extmgr.dll"
2006-05-09 22:23:00 16384 ( A.... ) "C:\WINDOWS\system32\jsproxy.dll"
2006-05-06 21:04:48 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Nology"
2006-04-30 14:37:14 ( .D... ) "C:\Program Files\Security Task Manager"
2006-04-29 20:52:20 ( .D... ) "C:\Program Files\Microsoft Games"
2006-04-29 06:07:48 5533696 ( A.... ) "C:\WINDOWS\system32\wmp.dll"
2006-04-26 21:46:24 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\PlayFirst"
2006-04-26 21:46:10 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Mind Control Software"
2006-04-26 17:08:20 101792 ( A.... ) "C:\Documents and Settings\Administrator\Application Data\GDIPFONTCACHEV1.DAT"
2006-04-26 14:49:54 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Wildfire"
2006-04-25 02:20:12 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\funkitron"
2006-04-21 14:09:36 ( .D... ) "C:\Documents and Settings\Administrator\Application Data\Blippy Games"
2006-04-06 10:54:38 73728 ( A.... ) "C:\WINDOWS\system32\asuninst.exe"
2006-01-30 23:35:26 2054 ( A.... ) "C:\Program Files\INSTALL.LOG"
2004-08-18 16:01:24 2931712 ( A..H. ) "C:\Program Files\BOOTIMG.BIN"
2004-08-18 16:00:32 2048 ( A..H. ) "C:\Program Files\BOOTCAT.BIN"


((((((((((((((((((((((((((((((((((((((((((((( Reg Loading Points )))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ehTray"="C:\\WINDOWS\\ehome\\ehtray.exe"
"hpsysdrv"="c:\\windows\\system\\hpsysdrv.exe"
"HotKeysCmds"="C:\\WINDOWS\\System32\\hkcmd.exe"
"CamMonitor"="c:\\Program Files\\HP\\Digital Imaging\\Unload\\hpqcmon.exe"
"HPHmon05"="C:\\WINDOWS\\System32\\hphmon05.exe"
"KBD"="C:\\HP\\KBD\\KBD.EXE"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"AutoTKit"="C:\\hp\\bin\\AUTOTKIT.EXE"
"Recguard"="C:\\WINDOWS\\SMINST\\RECGUARD.EXE"
"PS2"="C:\\WINDOWS\\system32\\ps2.exe"
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"Sunkist2k"="C:\\Program Files\\Multimedia Card Reader\\shwicon2k.exe"
"QuickFinder Scheduler"="\"C:\\Program Files\\Corel\\WordPerfect Office 2002\\Programs\\QFSCHD100.EXE\""
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"SunJavaUpdateSched"="C:\\Program Files\\Java\\jre1.5.0_06\\bin\\jusched.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"IpWins"="C:\\Program Files\\ipwins\\ipwins.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"BackupNotify"="c:\\Program Files\\HP\\Digital Imaging\\bin\\backupnotify.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{54D9498B-CF93-414F-8984-8CE7FDE0D391}"="ewido shell guard"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Grouper.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Grouper.lnk"
"backup"="C:\\WINDOWS\\pss\\Grouper.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\Program Files\\Grouper\\Grouper.exe -s"
"item"="Grouper"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Ati HotKey Poller"=dword:00000002


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\FOLDER.TSX
C:\WINDOWS\tasks\Symantec NetDetect.job

Completion time: Sun 06/18/2006 21:15:34.82
ComboFix ver 06.06.17 - This logfile is located at C:\ComboFix.txt


The next logs will be in the next post.
Last edited by FallenAngelSeph; 06-18-2006 at 10:38 PM.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 10:35 PM   #11 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Here are the last 2 logs.

Online Scan:

Sunday, June 18, 2006 9:12:48 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 19/06/2006
Kaspersky Anti-Virus database records: 201289


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\
I:\
J:\

Scan Statistics
Total number of scanned objects 135347
Number of viruses found 36
Number of infected objects 173
Number of suspicious objects 0
Duration of the scan process 01:19:30

Infected Object Name Virus Name Last Action
C:\bintheredunthat\VSL02.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\bintheredunthat\VSL02.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\bintheredunthat\VSL02.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149558.exe/InpB/Ssk.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149558.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149558.exe CAB: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151926.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151926.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151926.exe UPX: infected - 1 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151926.exe PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151928.exe/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151928.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151928.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151928.exe UPX: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151928.exe PE_Patch.UPX: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000137.exe/data0004/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000137.exe/data0004 Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000137.exe NSIS: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000137.exe UPX: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000137.exe PE_Patch.UPX: infected - 2 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000220.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.u skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000220.exe NSIS: infected - 1 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000220.exe UPX: infected - 1 skipped

C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\mc-110-12-0000220.exe PE_Patch.UPX: infected - 1 skipped

C:\Documents and Settings\Administrator\My Documents\HJT\backups\backup-20060617-140906-669.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149299.dll Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149304.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149468.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149468.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149468.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149468.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149468.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149468.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149500.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149502.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149502.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149502.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149502.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149502.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149502.exe RarSFX: infected - 5 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149522.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149522.exe/data0003 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149522.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149522.exe/data0007 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0149522.exe NSIS: infected - 4 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0004 Infected: Trojan-Downloader.MSIL.Agent.a skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0010 Infected: Trojan.Win32.Zapchast.bl skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0011/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0011/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0011/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0011/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0011/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0011/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002/data0011 Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe/data0002 Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP849\A0150580.exe NSIS: infected - 10 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151788.exe/stream/data0006 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151788.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151788.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151846.exe/stream/data0002 Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151846.exe/stream Infected: not-a-virus:RiskTool.Win32.PsKill.n skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151846.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151896.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151903.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151906.exe Infected: Trojan-Downloader.MSIL.Agent.a skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151931.dll Infected: not-a-virus:AdWare.Win32.CommAd.a skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151932.exe Infected: not-a-virus:AdWare.Win32.CommAd.a skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151933.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151935.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151936.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151938.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151939.dll Infected: not-a-virus:AdWare.Win32.CASClient.f skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151940.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151941.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151957.exe Infected: Trojan-Downloader.MSIL.Agent.a skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0151969.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0152018.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP850\A0152032.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152079.exe/data0006 Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152079.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152079.exe UPX: infected - 1 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152079.exe PE_Patch.UPX: infected - 1 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152081.exe/data.rar/whAgent.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152081.exe/data.rar/whInstaller.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152081.exe/data.rar/whSurvey.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152081.exe/data.rar/webhdll.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152081.exe/data.rar/whiehlpr.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152081.exe/data.rar Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152081.exe RarSFX: infected - 6 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152129.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152130.exe/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152130.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152131.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152132.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152133.exe/data0002 Infected: Trojan-Downloader.Win32.VB.tw skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152133.exe/data0003 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152133.exe/data0006 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152133.exe/data0007 Infected: Trojan.Win32.VB.tg skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152133.exe NSIS: infected - 4 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152134.exe/data0002 Infected: not-a-virus:AdWare.Win32.CASClient.l skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152134.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152139.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152139.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152139.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152141.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152142.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152150.exe Infected: not-a-virus:AdWare.Win32.Mirar.d skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152151.dll Infected: not-a-virus:AdWare.Win32.Comet.c skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152152.exe Infected: Trojan-Downloader.Win32.VB.tw skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152155.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152156.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152157.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152158.dll Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152159.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.i skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152160.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152166.EXE Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152167.dll Infected: not-a-virus:AdWare.Win32.CASClient.g skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152168.dll Infected: not-a-virus:AdWare.Win32.CASClient.g skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152169.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152173.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152174.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152175.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152177.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152178.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152179.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152180.dll Infected: not-a-virus:AdWare.Win32.Agent.e skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152181.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152183.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152184.exe Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152185.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152186.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152187.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152188.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152189.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152190.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152191.exe Infected: Trojan-Downloader.Win32.VB.tw skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152192.exe Infected: not-a-virus:AdWare.Win32.SurfSide.av skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152193.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ap skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152194.exe Infected: not-a-virus:AdWare.Win32.CASClient.f skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152195.exe Infected: not-a-virus:AdWare.Win32.CASClient.l skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152196.exe Infected: not-a-virus:AdWare.Win32.CASClient.m skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152197.exe Infected: not-a-virus:AdWare.Win32.WebHancer.351 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152198.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152199.dll Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152204.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152205.dll Infected: not-a-virus:AdWare.Win32.Mirar.b skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152206.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152208.exe Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152209.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152210.exe Infected: not-a-virus:AdWare.Win32.WebHancer.381 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152211.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152212.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152214.exe Infected: Trojan-Downloader.Win32.VB.tw skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152215.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.q skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152216.dll Infected: not-a-virus:AdWare.Win32.PurityScan.en skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152217.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152218.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152219.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152220.exe Infected: Trojan-Downloader.Win32.VB.tw skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152221.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152230.dll Infected: not-a-virus:AdWare.Win32.Mirar.b skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152231.dll Infected: not-a-virus:AdWare.Win32.WebHancer.390 skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152232.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152233.dll Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152235.exe Infected: not-a-virus:AdWare.Win32.Suggestor.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152236.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152237.dll Infected: not-a-virus:AdWare.Win32.CASClient.f skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152238.dll Infected: not-a-virus:AdWare.Win32.Mirar.e skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152239.dll Infected: not-a-virus:AdWare.Win32.Mirar.a skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152240.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.o skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152241.exe Infected: not-a-virus:AdWare.Win32.Agent.y skipped

C:\System Volume Information\_restore{38619354-A30C-4AA1-999E-C6E4474B633E}\RP851\A0152242.exe Infected: not-a-virus:AdWare.Win32.BookedSpace.h skipped

C:\WINDOWS\system32tfthot.exe Infected: not-a-virus:AdWare.Win32.SearchAssistant.f skipped

Scan process completed.

Ewido log:

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 6:09:13 PM, 6/18/2006
+ Report-Checksum: D5A9CA18

+ Scan result:

HKLM\SOFTWARE\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Avenue Media\Internet Optimizer\Browser Helper\cf1 -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CLSID -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj\CurVer -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\DyFuCA_BH.BHObj.1 -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\DyFuCA -> Adware.MoneyTree : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Kapabout -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKLM\SOFTWARE\webhancer -> Adware.WebHancer : Cleaned with backup
HKLM\SOFTWARE\webhancer\CC -> Adware.WebHancer : Cleaned with backup
HKU\S-1-5-21-1067029911-4224258621-1110681021-500\Software\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1067029911-4224258621-1110681021-500\Software\Microsoft\Windows\CurrentVersion\Policies\AMeOpt -> Adware.InternetOptimizer : Cleaned with backup
HKU\S-1-5-21-1067029911-4224258621-1110681021-500\Software\Policies\Avenue Media -> Adware.InternetOptimizer : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@adopt.euroclick[2].txt -> TrackingCookie.Euroclick : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@anad.tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@banners.searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@searchingbooth[1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@statcounter[1].txt -> TrackingCookie.Statcounter : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstbeacon[1].txt -> TrackingCookie.Burstbeacon : Cleaned with backup
C:\Documents and Settings\Administrator\Cookies\administrator@www.burstnet[1].txt -> TrackingCookie.Burstnet : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\876056.exe -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0141884.dll -> Adware.Comet : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145274.exe -> Downloader.VB.tw : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145275.exe -> Downloader.Qoologic.at : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145276.dll -> Downloader.Small.ctp : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145277.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145278.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145279.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145280.dll -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145281.dll -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0145282.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149290.exe -> Downloader.TSUpdate.n : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149291.exe -> Downloader.TSUpdate.p : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149293.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149294.dll -> Adware.TargetServer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149305.exe -> Hijacker.StartPage.ajj : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149454.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149456.dll -> Adware.CASClient : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149459.dll -> Adware.CASClient : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149460.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149463.exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149464.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149465.exe -> Dropper.Agent.aie : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149466.exe -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149473.exe -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149474.exe -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149476.exe -> Trojan.VB.tg : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149477.dll -> Adware.Agent : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149479.exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149480.dll -> Adware.Agent : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149483.dll -> Adware.Agent : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149484.exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149486.dll -> Downloader.Agent.ahv : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149488.exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149491.exe -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149492.exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149495.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149497.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149499.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149507.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149508.dll -> Adware.Look2Me : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149529.exe -> Downloader.VB.tw : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149557.exe -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149561.dll -> Adware.SurfSide : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149578.exe -> Adware.CASClient : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149580.exe -> Adware.CASClient : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0149584.exe -> Adware.CASClient : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0150581.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0150582.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0150583.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151675.exe -> Downloader.Adload.bv : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151676.exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151677.exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151678.exe -> Downloader.Adload.bo : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151809.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151810.dll -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151811.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151812.dll -> Downloader.Small.ctp : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151838.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151839.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151840.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151888.exe -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151890.exe -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151891.exe -> Trojan.VB.tg : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151892.exe -> Downloader.VB.tw : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151893.exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151894.dll -> Adware.PurityScan : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151897.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151898.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151899.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151900.exe -> Downloader.VB.tw : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151902.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151909.exe -> Downloader.Small : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151912.exe -> Dropper.Mudrop.bq : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151913.exe -> Dropper.Small.qn : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151914.exe -> Downloader.TSUpdate.o : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151915.exe -> Dropper.Agent.aie : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151918.exe -> Downloader.TSUpdate.p : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151919.exe -> Downloader.TSUpdate.n : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\A0151920.exe -> Downloader.TSUpdate.f : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060617-140906-173.dll -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060617-140906-375.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060617-140906-665.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\backup-20060617-140906-713.dll -> Adware.BookedSpace : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\furfc.dll -> Adware.TargetServer : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\gbe90qs.exe -> Adware.Suggestor : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\pqdsregm.exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\Runner.dll -> Adware.CASClient : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\WinATS.dll -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\WinDmy.dll -> Adware.Mirar : Cleaned with backup
C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\ZIGID003.exe -> Adware.ZenoSearch : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.enhance[1].txt -> TrackingCookie.Enhance : Cleaned with backup
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned with backup
C:\Program Files\PCStitch Pro\Interop.SHDocVw.exe -> Adware.Agent : Cleaned with backup
C:\WINDOWS\jqxxgqsk.exe -> Adware.BookedSpace : Cleaned with backup


::Report End

There are the logs. The computer is running okay right now, there are hardly any popups at all. But the logs seem to indicate that it needs a little more work. I await your response. Thanks in advance.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 10:50 PM   #12 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Very good, we're almost done now. There's light at the end of the tunnel

These are programs that will protect against future infections.

Right click on this & choose "Save As..." DelO15Domains.inf - DelO15Domains.inf
Right click on DelO15Domains.inf and choose Install. It will run immediately (you won't be able to see anything happen). You may delete the file afterwards.

SpywareBlaster 3.5.1 - Install & update SpywareBlaster with the latest definitions.
After you have updated, click the button - enable protection for all unprotected items

IE-SpyAD - Extract the contents to a new folder
From within the folder, double-click install.bat
Select Option #2 - Install the new IE-SPYAD list.
Then return to the main menu.
Select option #4 - Add the old porn sites domain


* * * * * * FIXING ENTRIES WITH HIJACKTHIS * * * * * * * * * *


Do a HijackThis scan & place a check next to these items and select "Fix checked":

O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe


* * * * * * DELETING FILES/FOLDERS * * * * * * * * * * * * * * *


Locate and delete the following files/folders: (make sure you get ALL of them)
  • C:\WINDOWS\system32tfthot.exe
    C:\WINDOWS\system32ftuninst.exe
    C:\bintheredunthat\
Delete the contents of this folder, leaving it empty:
  • C:\Documents and Settings\Administrator\DoctorWeb\Quarantine\

* * * * * * PURGING TEMP FOLDERS * * * * * * * * * * * * * * *


Run Cleanup! using the following configuration:

1. Click Options...
2. Set the slider initially to Standard CleanUp!
3. Uncheck the following:
  • Delete Newsgroup cache
  • Delete Newsgroup Subscriptions
  • Delete Cookies
4. Click OK
5. Press the CleanUp! button to start the program.


* * * * * *

This would clear the contents of the System Volume Information folder @System Restore's cache
Go to Start >> Run - type control sysdm.cpl,,4 & press Enter
  • Tick on the checkbox - Turn off System Restore on all drives
  • Click Apply
Turn it back 'On' by unticking the same checkbox & click OK


* * * * * *


Reboot once more before posting a fresh Hijackthis log
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 11:15 PM   #13 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Okay, I have a problem here. After the reboot when I was going to post up the HTJ log, the computer fully loaded, but the mouse wont move at all. The keyboard works fine so it isnt froze, the mouse just will not do anything though. Do you have any advice for this problem? I followed all the steps you outlined, and have no clue what is going on. BTW I am posting this from a different computer.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 11:20 PM   #14 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Reboot once more. Let me know if that happens again
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 11:24 PM   #15 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


Well, I rebooted it twice after the initial and it seems to be working fine once again. Here is the fresh HJT log you requested.

Logfile of HijackThis v1.99.1
Scan saved at 10:22:47 PM, on 6/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Multimedia Card Reader\shwicon2k.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\drivers\CDAC11BA.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ewido anti-malware\ewidoguard.exe
C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Administrator\My Documents\HJT\HijackThis.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\HP\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [CamMonitor] c:\Program Files\HP\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [AutoTKit] C:\hp\bin\AUTOTKIT.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Sunkist2k] C:\Program Files\Multimedia Card Reader\shwicon2k.exe
O4 - HKLM\..\Run: [QuickFinder Scheduler] "C:\Program Files\Corel\WordPerfect Office 2002\Programs\QFSCHD100.EXE"
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {200B3EE9-7242-4EFD-B1E4-D97EE825BA53} (VerifyGMN Class) - http://h20270.www2.hp.com/ediags/gmn...taller_gmn.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1127251276609
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://coolmom58.multiply.com/photos/uploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{146CD15B-8821-4A8B-BD6E-00138CEFFAF8}: NameServer = 68.94.156.1,68.94.157.1
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido anti-malware\ewidoguard.exe
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-18-2006, 11:45 PM   #16 (permalink)
Asst Manager Security, Expert Analyst, Moderator, Security Team; Rangemaster, Moderator, TSF Academy
 
sUBs's Avatar
 
Join Date: May 2005
Posts: 24,355
OS: N/A


Normally at this juncture, I would declare you clean.

But in consideration of your recent issue with the hanging mouse, I would like you to come back in 1-2 days time to let me know if there are still any other issues.
__________________

Question - what have you done for the community today?
sUBs is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-20-2006, 10:17 PM   #17 (permalink)
Registered User
 
Join Date: Mar 2006
Posts: 44
OS: Windows XP


The computer is working fine now, the mouse problem seemed like a temporary problem. There has been nothing popping up and the machine has been working great. I have one more question. This computer that had the problem belongs to my mom and I have been the one posting and doing the fixes, she likes to download stuff and was using p2p programs to download stuff. Well I had told her that most p2p programs have spyware packaged with them or something like that. She wanted to know if there are any safe p2p programs to use that she can download from.
FallenAngelSeph is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-22-2006, 07:44 PM   #18 (permalink)
Analyst, Security Team
 
greyknight17's Avatar
 
Join Date: Jul 2004
Location: New York
Posts: 14,331
OS: Windows 98 & Windows XP Home/Pro

My System

We will not recommend any p2p programs here since they can help contribute to these problems...even if they don't come bundled with it. You don't know who you are downloading from.
__________________
Please do NOT PM me. Post whatever questions you may have in the forum and we will take a look at it when we get to it. If you have waited for more than 3 days, you may then and ONLY then PM me for assistance. I will take a look at it.
greyknight17 is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:41 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85