trojans?

chatcher · Jan 26, 2007

I'm pretty sure I have a trojan (or more then one), on my taskbar next to the clock I have 2 icons both telling me that my computer is infected, and when you clock either on of them they automatically download a regestry cleaner that asks for money, so I'm guessing that that is the problem.

Logfile of HijackThis v1.99.1
Scan saved at 8:57:08 PM, on 1/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
C:\Program Files\Logitech\Easy Synchronization\LogitechEasySync.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\msiexec.exe
C:\PROGRA~1\WINZIP\winzip32.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\Corey\Local Settings\Temp\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.3:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvaf.dll,startup
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\itluxhys.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O18 - Protocol: bw+0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Unknown owner - C:\Program Files\CacheBoost\cbsrv.exe (file missing)
O23 - Service: Client IP-IPX - Unknown owner - -e,mc-110-12-0000272, (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

alba · Jan 27, 2007

Hello chatcher

There is a least two infections working here one of which may be hidden from HJT, the other is a new varient of an old infection.

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

We would like you to upload a file before we clean your system this will help us immensely in the fight against malware

===================

Please download the Suspicious file Packer from Safer-Networking.Org and unzip it to your desktop.

Run SFP.exe.

Please copy the following lines into the Step 1: Paste Text window:

C:\WINDOWSSYSTEM32ctpmon.exe

then click "Continue".

This will create a .cab file on your desktop named requested-files[Date/Time].cab

Next, please visit TheSpyKillers forum HERE

Read the first topic for instructions on uploading files then start a new Topic, Title it ctpmon.exe for S!Ri, post a link to this thread and upload the requested files.cab archive from your desktop.

===============================================

Before proceeding any further, please create a new directory - C:\PROGRAM FILES\HIJACKTHIS\
Re-locate your HijackThis files to the new directory
===============================================

I'd like you to rename HijackThis.exe to chatcher.exe.

* Navigate to C:\PROGRAM FILES\HIJACKTHIS\
* Right click on HijackThis.exe
* Select 'Rename'
* Type in chatcher.exe.
* Press Enter.

Please post a fresh log from chatcher.exe. here

alba · Jan 27, 2007

Sorry chatcher

Below is the file to upload

Please copy the following lines into the C:\WINDOWS\system32\ctpmon.exewindow:

C:\WINDOWS\system32\ctpmon.exe

chatcher · Jan 28, 2007

Logfile of HijackThis v1.99.1
Scan saved at 11:53:31 AM, on 1/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\WINDOWS\system32\ctpmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.8472\GoogleToolbarNotifier.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Corey\Local Settings\Temp\sfp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\chatcher.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sex.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.3:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {63DEC027-FB23-462C-8C0D-BFC2433999E7} - C:\WINDOWS\system32\ddcdaxv.dll
O2 - BHO: (no name) - {759433CD-88B6-4AF8-85B2-43425C3D9F1F} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {7D81B793-84F5-4AC5-844C-5A181062D012} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\qkjpmbuc.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {DBEBCBE3-D56B-4F9D-A7E2-E6D3620FAC06} - C:\WINDOWS\system32\gebyw.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvvaf.dll,startup
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\itluxhys.dll",setvm
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ctpmon] ctpmon.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O18 - Protocol: bw+0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: ddcdaxv - C:\WINDOWS\SYSTEM32\ddcdaxv.dll
O20 - Winlogon Notify: gebyw - C:\WINDOWS\system32\gebyw.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Unknown owner - C:\Program Files\CacheBoost\cbsrv.exe (file missing)
O23 - Service: Client IP-IPX - Unknown owner - -e,mc-110-12-0000272, (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

alba · Jan 29, 2007

Hello chatcher

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Please download SmitfraudFix (by S!Ri) to your Desktop.

=================

Download and install CleanUp!
NOTE: CleanUp! deletes EVERYTHING out of your temp/temporary folders, it does not make backups. If you have any documents or programs that are saved in any Temporary Folders, make a backup of these before running CleanUp!. Do NOT run this program if you have XP Professional 64 bit edition. If you're unsure please do not run it! If you don't already know, you're probably not using XP64, but you can download & run this tool to find out for sure.....http://www.kellys-korner-xp.com/regs_edits/xp_whichcpu.exe

=================

Download AVG Anti-Spyware from HERE
This is a 30 day trial of the program

Install AVG Anti-Spyware
Double-click the icon on Desktop to launch AVG Anti-Spyware

You will need to update AVG Anti-Spyware to the latest definition files.

On the top of the main screen click Shield
Click the word active to change it to inactive
On the top of the main screen click Update.
Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
- Select "Automatically generate report after every scan"
- Un-Select "Only if threats were found"

When you have finished updating, EXIT AVG Anti-Spyware. Do Not run a scan just yet, we will shortly.

=================

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

=================

Close any open browsers.

=================

Go to <<Start>> then <<Run>> then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /v itluxhys qkjpmbuc vturr gebya ddcdaxv gebyw

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

===============================================

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

===============================================

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sex.com/
R3 - URLSearchHook: (no name) - - (no file)
O2 - BHO: (no name) - {63DEC027-FB23-462C-8C0D-BFC2433999E7} - C:\WINDOWS\system32\ddcdaxv.dll
O2 - BHO: (no name) - {759433CD-88B6-4AF8-85B2-43425C3D9F1F} - C:\WINDOWS\system32\gebya.dll (file missing)
O2 - BHO: (no name) - {7D81B793-84F5-4AC5-844C-5A181062D012} - C:\WINDOWS\system32\vturr.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\qkjpmbuc.dll
O2 - BHO: (no name) - {DBEBCBE3-D56B-4F9D-A7E2-E6D3620FAC06} - C:\WINDOWS\system32\gebyw.dll
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\itluxhys.dll",setvm
O3 - Toolbar: (no name) - {C1B4DEC2-2623-438e-9CA2-C9043AB28508} - (no file)
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://arcade.icq.com/carlo/zuma/popcaploader_v5.cab

Put a tick next to all of below except the ones in Green

O18 - Protocol: bw+0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw+0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw-0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw00s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw10s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw20s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw30s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw40s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw50s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw60s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw70s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw80s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bw90s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwa0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwb0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwc0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwd0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwe0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwf0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: bwg0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwg0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwh0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwi0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwj0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwk0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwl0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwm0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwn0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwo0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwp0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwq0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwr0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bws0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwt0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwu0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwv0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bww0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwx0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwy0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwz0s - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll

Please remember to close all other windows, including browsers then click Fix checked.

=================

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry?" answer Yes by typing Y and hit Enter.
The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C:\ (C:\rapport.txt) or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

=================

Clean out your Temporary Internet files.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programs menu). Set the program up as follows:
*Click "Options..."
*Move the arrow down to "Custom CleanUp!"
*Put a check next to the following:

Empty Recycle Bins
Delete Cookies
Delete Prefetch files
Cleanup! All Users
Click on the “Temporary Files” and uncheck the box for “Scan drives for file matching” if it’s checked.

Click OK
Press the CleanUp! button to start the program. Once it's finished Cleanup will ask you to logoff/reboot. Please select NO as we will do this later.

=================

Next Click Start, click Control Panel and then double-click Display. Click on the Desktop tab, then click the Customize Desktop button. Click on the Web tab. Under Web Pages you should see a checked entry called Security info or something similar. If it is there, select that entry and click the Delete button. Click Ok then Apply and Ok.

Empty the Recycle Bin by right-clicking the Recycle Bin icon on your Desktop, and then clicking Empty Recycle Bin.

=================

Close ALL open Windows / Programs / Folders. Run AVG Anti-Spyware with it's updated definitions

...it's important that all windows must be closed)

Click Scanner
Click on the Scan tab
Click Complete System Scan to begin scanning.
Once the scan is complete do the following:
If you have any infections you will prompted, then select "Apply all actions"
Once finished, click the Save report button, then click Save Report As and save it to your desktop. (make sure to remember where you saved that file, this is important).

===============================================

REBOOT TO NORMAL MODE

=================

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #3 - Delete Trusted zone by typing 3 and press Enter
Answer Yes to the question "Restore Trusted Zone ?" by typing Y and hit Enter.

Note, if you use SpywareBlaster and/or IE-SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE-SPYAD, run the batch file and reinstall the protection.

=================

Perform an online scan with Internet Explorer with Panda ActiveScan

Click on

located at the bottom of the page.
A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*

Begin the scan by selecting

If it finds any malware, it will offer you a report.
Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
Click on

then click

* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

=================

Run combofix once again in the following manner:

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=================

Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:

combofix2.txt
C:\rapport.txt (log from the tool)
AVG Anti-Spyware's Log
Online scan
combofix.txt
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

chatcher · Jan 31, 2007

the only one i could download was CleanUp, all of the other links you gave me came up as an error loading page.

i am 100% sure i am connected to my internet, everything is working fine except those links. I am useing firefox, but i tried it on IE also (if that makes any diffrence), I have restarted also..... Still no luck.

I did get clean up though. Stuck there.

alba · Jan 31, 2007

Hi chatcher

I have tried the links just now and they worked fine for me
Please try them again and in the mean time I will research the problem

regards

alba

Ried · Jan 31, 2007

Hello chatcher,

Please navigate to the following file--open it with Notepad (or Wordpad if file is too large) and copy/paste the contents here.

C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts

chatcher · Feb 3, 2007

# Copyright (c) 1993-1999 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
# 102.54.94.97 rhino.acme.com # source server
# 38.25.63.10 x.acme.com # x client host

127.0.0.1 localhost
127.0.0.1 forums.techguy.org
127.0.0.1 www.castlecops.com
127.0.0.1 castlecops.com
127.0.0.1 siri.urz.free.fr
127.0.0.1 www.spywareinfo.dk
127.0.0.1 spywareinfo.dk
127.0.0.1 www.superantispyware.com
127.0.0.1 superantispyware.com
127.0.0.1 www.compu-docs.com
127.0.0.1 compu-docs.com
127.0.0.1 download.bleepingcomputer.com
127.0.0.1 www.bleepingcomputer.com
127.0.0.1 bleepingcomputer.com
127.0.0.1 www.greyknight17.com
127.0.0.1 greyknight17.com
127.0.0.1 help.lockergnome.com
127.0.0.1 cleanup.stevengould.org
127.0.0.1 stevengould.org
127.0.0.1 www.depannetonpc.net
127.0.0.1 depannetonpc.net
127.0.0.1 forums.techguy.org
127.0.0.1 www.castlecops.com
127.0.0.1 castlecops.com
127.0.0.1 siri.urz.free.fr
127.0.0.1 www.spywareinfo.dk
127.0.0.1 spywareinfo.dk
127.0.0.1 www.superantispyware.com
127.0.0.1 superantispyware.com
127.0.0.1 www.compu-docs.com
127.0.0.1 compu-docs.com
127.0.0.1 download.bleepingcomputer.com
127.0.0.1 www.bleepingcomputer.com
127.0.0.1 bleepingcomputer.com
127.0.0.1 www.greyknight17.com
127.0.0.1 greyknight17.com
127.0.0.1 help.lockergnome.com
127.0.0.1 cleanup.stevengould.org
127.0.0.1 stevengould.org
127.0.0.1 www.depannetonpc.net
127.0.0.1 depannetonpc.net
127.0.0.1 forums.techguy.org
127.0.0.1 www.castlecops.com
127.0.0.1 castlecops.com
127.0.0.1 siri.urz.free.fr
127.0.0.1 www.spywareinfo.dk
127.0.0.1 spywareinfo.dk
127.0.0.1 www.superantispyware.com
127.0.0.1 superantispyware.com
127.0.0.1 www.compu-docs.com
127.0.0.1 compu-docs.com
127.0.0.1 download.bleepingcomputer.com
127.0.0.1 www.bleepingcomputer.com
127.0.0.1 bleepingcomputer.com
127.0.0.1 www.greyknight17.com
127.0.0.1 greyknight17.com
127.0.0.1 help.lockergnome.com
127.0.0.1 cleanup.stevengould.org
127.0.0.1 stevengould.org
127.0.0.1 www.depannetonpc.net
127.0.0.1 depannetonpc.net
# Start of entries inserted by Spybot - Search & Destroy
# End of entries inserted by Spybot - Search & Destroy

+ this is what firefox says

Unable to connect

Firefox can't establish a connection to the server at help.lockergnome.com.

* The site could be temporarily unavailable or too busy. Try again in a few
moments.

* If you are unable to load any pages, check your computer's network
connection.

* If your computer or network is protected by a firewall or proxy, make sure
that Firefox is permitted to access the Web.

Ried · Feb 3, 2007

Thank you.

Download HostsXpert v3.7

Extract all files and double click HostsXpert.exe.

In the 'Editing Tools' section, click "Make Hosts Writable?" in the upper right corner (If available).
Just below, you will see the 'Backup and Restore' section. Click Restore Microsofts's Hosts File.
Click File>Exit

You should now be able to download the tools necessary to carry out the fix. Please continue with the steps in the order previously provided by alba. :sayyes:

chatcher · Feb 3, 2007

Ok done.

The icons on the side are gone, that was the main problem and that seems to be fixed now.

Still a little slow on the boot, takes about 2 min to get going to normal speed.

Only problem I had was with the panda online scan, I got to the scanpart where you wanted me to select My computer, when I selected it said error on page and reloaded.

Here are the logs in the order you gave me.

"Corey" - 07-02-03 12:12:54 Service Pack 2
ComboFix 07.02.02 - Running from: "C:\Documents and Settings\Corey\Desktop"

((((((((((((((((((((((((((((((( Files Created from 2007-01-03 to 2007-02-03 ))))))))))))))))))))))))))))))))))

2007-02-03 12:06 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-02-03 12:05 <DIR> d-------- C:\WINDOWS\LastGood
2007-02-03 10:12 2,032 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-03 09:53 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-03 09:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-02 19:14 118,804 --a------ C:\WINDOWS\system32\pmbibewl.dll
2007-02-02 12:05 76,412 --a------ C:\WINDOWS\system32\leoruxoy.dll
2007-02-02 12:00 <DIR> d-------- C:\Program Files\Handheld CE Services
2007-02-01 23:11 <DIR> d-------- C:\Program Files\MySpace
2007-02-01 23:11 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\MySpace
2007-02-01 19:33 76,412 --a------ C:\WINDOWS\system32\ylepptpa.dll
2007-01-31 09:08 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-30 22:23 76,412 --a------ C:\WINDOWS\system32\irthvwrp.dll
2007-01-30 20:56 118,804 --a------ C:\WINDOWS\system32\ngxsfyxp.dll
2007-01-29 20:01 44,165 --a------ C:\WINDOWS\system32\qeswuoqb.dll
2007-01-26 20:39 30,208 --a--c--- C:\jtwbjak.exe
2007-01-26 20:39 0 --a--c--- C:\iamhj.exe
2007-01-26 20:35 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Macrovision
2007-01-26 20:31 286,720 --a------ C:\WINDOWS\iun506.exe
2007-01-26 20:31 <DIR> d-------- C:\Program Files\GIF Movie Gear
2007-01-26 20:28 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-01-25 20:07 <DIR> d-------- C:\Program Files\HijackThis
2007-01-24 21:20 353 ---hs---- C:\WINDOWS\system32\edeeg.ini2
2007-01-24 10:29 73,728 --a------ C:\WINDOWS\ICG32.DLL
2007-01-24 10:29 5,856 --a------ C:\WINDOWS\system32\INET16.DLL
2007-01-24 10:29 41,472 --a------ C:\WINDOWS\system32\IPROF32.DLL
2007-01-24 10:29 225,280 --a------ C:\WINDOWS\system32\QCON32.DLL
2007-01-24 10:29 195,936 --a------ C:\WINDOWS\system32\QCONNECT.DLL
2007-01-24 10:29 193,024 --a------ C:\WINDOWS\system32\QCON3216.EXE
2007-01-24 10:28 73,728 --a------ C:\WINDOWS\system32\Q_ENCLIB.DLL
2007-01-24 10:28 66,048 --a------ C:\WINDOWS\system32\mrtRate.dll
2007-01-24 10:28 65,536 --a------ C:\WINDOWS\system32\mrtMngr.exe
2007-01-24 10:28 51,200 --a------ C:\WINDOWS\system32\Q_ENCUTL.DLL
2007-01-24 10:28 34,712 --a------ C:\WINDOWS\system32\drivers\MrtRate.sys
2007-01-24 10:28 <DIR> d-------- C:\WINDOWS\Intuit
2007-01-24 10:28 <DIR> d-------- C:\Program Files\QUICKENW
2007-01-24 10:28 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software Inc
2007-01-24 08:57 76,412 --a------ C:\WINDOWS\system32\kpeudloi.dll
2007-01-24 07:33 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-24 07:32 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-01-24 07:32 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-01-24 07:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-01-24 07:31 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\PC Tools
2007-01-23 22:35 <DIR> d--hsc--- C:\WA7P
2007-01-23 22:32 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-23 22:32 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-01-23 21:04 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-23 19:18 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Opera
2007-01-23 17:38 76,412 --a------ C:\WINDOWS\system32\ltkiaewh.dll
2007-01-23 16:49 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-23 16:49 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-23 16:43 96,256 --a------ C:\WINDOWS\system32\fmmxodm.dll
2007-01-23 16:33 95,744 --a------ C:\WINDOWS\system32\pwgxbam.dll
2007-01-23 15:58 88,340 --a------ C:\WINDOWS\system32\lmyrisnm.exe
2007-01-23 15:58 76,412 --a------ C:\WINDOWS\system32\nefswjwu.dll
2007-01-23 15:53 9,426 --a--c--- C:\qinniycc.exe
2007-01-23 15:53 9,426 --a--c--- C:\mnpw.exe
2007-01-23 15:53 9,394 --a--c--- C:\mvyok.exe
2007-01-23 15:45 <DIR> d-------- C:\Program Files\7-Zip
2007-01-22 23:17 <DIR> d-------- C:\Program Files\iTunes
2007-01-22 23:06 <DIR> d-------- C:\Program Files\QuickTime
2007-01-22 00:49 <DIR> d-------- C:\WINDOWS\9E2EE1ACE0A84E10AE90D9ADE9E91318.TMP
2007-01-21 11:33 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-21 09:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-18 15:53 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-01-18 15:53 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Thunderbird
2007-01-18 15:53 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Talkback
2007-01-17 21:25 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Skype
2007-01-17 19:56 <DIR> d-------- C:\Program Files\Skype
2007-01-13 14:43 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-12 21:35 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-12 21:34 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-01-12 21:34 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-12 21:34 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Google
2007-01-12 21:31 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-12 21:25 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-12 21:25 <DIR> d-------- C:\Program Files\Google
2007-01-12 21:18 <DIR> d-------- C:\WINDOWS\network diagnostic

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-03 09:20 -------- d-------- C:\Program Files\grisoft
2007-02-02 22:48 -------- d-------- C:\Program Files\mozilla firefox
2007-01-31 16:57 -------- d-------- C:\Program Files\trillian
2007-01-28 12:23 -------- d-------- C:\DOCUME~1\Corey\Application Data\macromedia
2007-01-26 20:25 -------- d-------- C:\Program Files\Common Files\macromedia
2007-01-26 20:24 -------- d--h----- C:\Program Files\installshield installation information
2007-01-26 20:24 -------- d-------- C:\Program Files\macromedia
2007-01-25 20:44 -------- d-------- C:\Program Files\ea games
2007-01-25 20:38 -------- d-------- C:\Program Files\mario forever toolbar
2007-01-23 17:33 -------- d-------- C:\DOCUME~1\Corey\Application Data\adobe
2007-01-23 16:54 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-22 23:18 -------- d-------- C:\Program Files\ipod
2007-01-22 23:14 -------- d-------- C:\Program Files\apple software update
2007-01-22 22:32 -------- d-------- C:\Program Files\flash favorite
2007-01-22 19:38 -------- d-------- C:\Program Files\Common Files\real
2007-01-22 00:50 -------- d-------- C:\DOCUME~1\Corey\Application Data\adobeum
2007-01-22 00:49 -------- d-------- C:\Program Files\pokerstars
2007-01-22 00:48 -------- d-------- C:\Program Files\ulead systems
2007-01-22 00:48 -------- d-------- C:\Program Files\tgtsoft
2007-01-22 00:48 -------- d-------- C:\Program Files\interactual
2007-01-22 00:48 -------- d-------- C:\Program Files\guild wars
2007-01-22 00:48 -------- d-------- C:\Program Files\dvdsanta
2007-01-22 00:48 -------- d-------- C:\Program Files\doom 3
2007-01-22 00:35 -------- d-------- C:\Program Files\uoam
2007-01-21 09:11 -------- d-------- C:\DOCUME~1\Corey\Application Data\lavasoft
2007-01-21 09:02 724992 --a------ C:\WINDOWS\iun6002.exe
2007-01-18 15:53 -------- d-------- C:\DOCUME~1\Corey\Application Data\mozilla
2006-12-08 16:33 -------- d-------- C:\Program Files\razor
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 02:21 23 --a------ C:\WINDOWS\clofghls.dll
2006-12-01 18:49 88 ---hs---- C:\DOCUME~1\Corey\Application Data\.zreglib
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver2\\LVCOMS.EXE"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\pmbibewl.dll\",setvm"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutpPilot Control.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AutpPilot Control.lnk"
"backup"="C:\\WINDOWS\\pss\\AutpPilot Control.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{1F0DCB84-2251-45BF-8975-471539D012FD}\\_294823.exe "
"item"="AutpPilot Control"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\SetPoint.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-Aware"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Aware.exe\" +c"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG6\\avgcc32.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-Watch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boost XP Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxservice"
"hkey"="HKCU"
"command"="C:\\Program Files\\Boost XP\\bxservice.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CacheBoost]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="trayicon"
"hkey"="HKLM"
"command"="C:\\Program Files\\CacheBoost\\trayicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctpmon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctpmon"
"hkey"="HKCU"
"command"="ctpmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="itluxhys"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\itluxhys.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fdm"
"hkey"="HKCU"
"command"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1134327678\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="C:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLifeService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaLifeService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Booster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pcbooster"
"hkey"="HKLM"
"command"="C:\\Program Files\\inKline Global\\PC Booster\\pcbooster.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RFAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rfagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\RFA\\rfagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StyleXP"
"hkey"="HKCU"
"command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Monitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Weather"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.EXE 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=dword:00000002
"Roger Wilco Base Station"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"="ShellExecuteHook class"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51
*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_MCHINJDRV

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-03 12:17:57
C:\ComboFix2.txt ... 07-02-03 09:58

SmitFraudFix v2.138

Scan done at 10:12:01.82, Sat 02/03/2007
Run from C:\Documents and Settings\Corey\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\autosys.exe Deleted
C:\WINDOWS\system32\RegistryCleanerSetup.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:54:11 AM 2/3/2007

+ Scan result:

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0195010.dll -> Adware.Companion : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0195030.cpl -> Adware.P2PNet : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc2\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\RECYCLER\S-1-5-18\Dc3\system.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0195018.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP897\A0200203.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0194937.exe -> Adware.SystemDoctor : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP903\A0211511.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP903\A0211507.exe -> Dialer.GBDialer.i : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0195029.exe -> Downloader.Keenval.f : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP888\A0193088.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP888\A0193089.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP888\A0193091.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0194959.exe -> Downloader.Small.edb : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP888\A0193090.exe -> Dropper.Agent.azk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0194958.exe -> Dropper.Agent.azk : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP887\A0193055.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP887\A0193058.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP903\A0211508.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\ckib.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\yhmy.exe -> Hijacker.Agent.is : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP887\A0193051.exe -> Hijacker.Costrat.ae : Cleaned with backup (quarantined).
C:\bkktkp.exe -> Hijacker.Costrat.ae : Cleaned with backup (quarantined).
C:\WINDOWS\system32:huy32.sys -> Hijacker.Costrat.af : Cleaned with backup (quarantined).
C:\mvgngc.exe -> Hijacker.Costrat.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP900\A0202364.dll -> Not-A-Virus.Downloader.Win32.PopCap.a : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0196894.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP892\A0198313.dll -> Not-A-Virus.Hoax.Win32.Renos.gi : Cleaned with backup (quarantined).
:mozilla.124:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.127:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.128:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.129:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.122:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.139:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.140:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.141:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.142:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.143:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][2].txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.152:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Com : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.63:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.225:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.226:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.227:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.228:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.123:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.126:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.130:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.165:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.167:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.235:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.200:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.201:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Linksynergy : Cleaned.
:mozilla.166:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
:mozilla.87:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][2].txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.210:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.193:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.194:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.196:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.111:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.112:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.113:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.114:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.115:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.116:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.117:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.118:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][1].txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.178:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][2].txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.108:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.109:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.110:C:\Documents and Settings\Corey\Application Data\Mozilla\Firefox\Profiles\nv677nqq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\Corey\Cookies\[email protected][1].txt -> TrackingCookie.Zedo : Cleaned.
C:\Program Files\Common Files\svchost.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP888\A0193846.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0193868.exe -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\WINDOWS\system32\wineil32.dll -> Trojan.Agent.qt : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP894\A0199133.exe -> Trojan.ProcKill.DJ : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP887\A0193054.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP887\A0193056.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP889\A0195024.dll -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).
C:\WINDOWS\system32\msasvc.exe -> Trojan.Sinowal.bh : Cleaned with backup (quarantined).

::Report end

(No online scan)

"Corey" - 07-02-03 9:45:12 Service Pack 2
ComboFix 07.02.02 - Running from: "C:\Documents and Settings\Corey\desktop"
Command switches used :: /v itluxhys qkjpmbuc vturr gebya ddcdaxv gebyw

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\qkjpmbuc.dll
C:\WINDOWS\system32\ddcdaxv.dll
C:\WINDOWS\system32\gebyw.dll
C:\WINDOWS\system32\rrutv.ini2
C:\WINDOWS\system32\rrutv.tmp
C:\WINDOWS\system32\wybeg.bak1
C:\WINDOWS\system32\wybeg.bak2
C:\WINDOWS\system32\wybeg.ini
C:\WINDOWS\system32\wybeg.ini2
C:\WINDOWS\system32\wybeg.tmp

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\maxd641.exe
C:\WINDOWS\system32\unsvchosts.lzma
C:\WINDOWS\system32\ctpmon.exe

((((((((((((((((((((((((((((((( Files Created from 2007-01-03 to 2007-02-03 ))))))))))))))))))))))))))))))))))

2007-02-03 09:53 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-03 09:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-02 19:14 118,804 --a------ C:\WINDOWS\system32\pmbibewl.dll
2007-02-02 12:05 76,412 --a------ C:\WINDOWS\system32\leoruxoy.dll
2007-02-02 12:00 <DIR> d-------- C:\Program Files\Handheld CE Services
2007-02-01 23:11 <DIR> d-------- C:\Program Files\MySpace
2007-02-01 23:11 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\MySpace
2007-02-01 19:33 76,412 --a------ C:\WINDOWS\system32\ylepptpa.dll
2007-01-31 09:08 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-30 22:23 76,412 --a------ C:\WINDOWS\system32\irthvwrp.dll
2007-01-30 22:16 620,123 --a------ C:\WINDOWS\system32\RegistryCleanerSetup.exe
2007-01-30 20:56 118,804 --a------ C:\WINDOWS\system32\ngxsfyxp.dll
2007-01-29 20:01 44,165 --a------ C:\WINDOWS\system32\qeswuoqb.dll
2007-01-26 20:39 45,568 --a--c--- C:\yhmy.exe
2007-01-26 20:39 30,208 --a--c--- C:\jtwbjak.exe
2007-01-26 20:39 0 --a--c--- C:\iamhj.exe
2007-01-26 20:38 74,240 --a--c--- C:\mvgngc.exe
2007-01-26 20:35 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Macrovision
2007-01-26 20:31 286,720 --a------ C:\WINDOWS\iun506.exe
2007-01-26 20:31 <DIR> d-------- C:\Program Files\GIF Movie Gear
2007-01-26 20:28 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-01-25 20:07 <DIR> d-------- C:\Program Files\HijackThis
2007-01-24 21:20 353 ---hs---- C:\WINDOWS\system32\edeeg.ini2
2007-01-24 10:29 73,728 --a------ C:\WINDOWS\ICG32.DLL
2007-01-24 10:29 5,856 --a------ C:\WINDOWS\system32\INET16.DLL
2007-01-24 10:29 41,472 --a------ C:\WINDOWS\system32\IPROF32.DLL
2007-01-24 10:29 225,280 --a------ C:\WINDOWS\system32\QCON32.DLL
2007-01-24 10:29 195,936 --a------ C:\WINDOWS\system32\QCONNECT.DLL
2007-01-24 10:29 193,024 --a------ C:\WINDOWS\system32\QCON3216.EXE
2007-01-24 10:28 73,728 --a------ C:\WINDOWS\system32\Q_ENCLIB.DLL
2007-01-24 10:28 66,048 --a------ C:\WINDOWS\system32\mrtRate.dll
2007-01-24 10:28 65,536 --a------ C:\WINDOWS\system32\mrtMngr.exe
2007-01-24 10:28 51,200 --a------ C:\WINDOWS\system32\Q_ENCUTL.DLL
2007-01-24 10:28 34,712 --a------ C:\WINDOWS\system32\drivers\MrtRate.sys
2007-01-24 10:28 <DIR> d-------- C:\WINDOWS\Intuit
2007-01-24 10:28 <DIR> d-------- C:\Program Files\QUICKENW
2007-01-24 10:28 <DIR> d-------- C:\Program Files\Common Files\Palo Alto Software Inc
2007-01-24 08:57 76,412 --a------ C:\WINDOWS\system32\kpeudloi.dll
2007-01-24 07:33 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-24 07:32 51,072 --a------ C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-01-24 07:32 30,592 --a------ C:\WINDOWS\system32\drivers\ikhfile.sys
2007-01-24 07:31 <DIR> d-------- C:\Program Files\Spyware Doctor
2007-01-24 07:31 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\PC Tools
2007-01-23 22:35 <DIR> d--hsc--- C:\WA7P
2007-01-23 22:32 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-23 22:32 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-01-23 21:04 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-23 19:18 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Opera
2007-01-23 19:06 75,776 ---h----- C:\Program Files\Common Files\svchost.exe
2007-01-23 17:38 76,412 --a------ C:\WINDOWS\system32\ltkiaewh.dll
2007-01-23 17:14 9,426 --a------ C:\WINDOWS\system32\autosys.exe
2007-01-23 16:49 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-23 16:49 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-23 16:43 96,256 --a------ C:\WINDOWS\system32\fmmxodm.dll
2007-01-23 16:33 95,744 --a------ C:\WINDOWS\system32\pwgxbam.dll
2007-01-23 16:26 3,584 --a------ C:\WINDOWS\system32\msasvc.exe
2007-01-23 15:58 88,340 --a------ C:\WINDOWS\system32\lmyrisnm.exe
2007-01-23 15:58 76,412 --a------ C:\WINDOWS\system32\nefswjwu.dll
2007-01-23 15:53 9,426 --a--c--- C:\qinniycc.exe
2007-01-23 15:53 9,426 --a--c--- C:\mnpw.exe
2007-01-23 15:53 9,394 --a--c--- C:\mvyok.exe
2007-01-23 15:53 74,240 --a--c--- C:\bkktkp.exe
2007-01-23 15:53 45,568 --a--c--- C:\ckib.exe
2007-01-23 15:52 20,992 --a------ C:\WINDOWS\system32\wineil32.dll
2007-01-23 15:45 <DIR> d-------- C:\Program Files\7-Zip
2007-01-22 23:17 <DIR> d-------- C:\Program Files\iTunes
2007-01-22 23:06 <DIR> d-------- C:\Program Files\QuickTime
2007-01-22 00:49 <DIR> d-------- C:\WINDOWS\9E2EE1ACE0A84E10AE90D9ADE9E91318.TMP
2007-01-21 11:33 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-21 09:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-18 15:53 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-01-18 15:53 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Thunderbird
2007-01-18 15:53 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Talkback
2007-01-17 21:25 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Skype
2007-01-17 19:56 <DIR> d-------- C:\Program Files\Skype
2007-01-13 14:43 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-12 21:35 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-12 21:34 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-01-12 21:34 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-12 21:34 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Google
2007-01-12 21:31 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-12 21:25 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-12 21:25 <DIR> d-------- C:\Program Files\Google
2007-01-12 21:18 <DIR> d-------- C:\WINDOWS\network diagnostic

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-03 09:20 -------- d-------- C:\Program Files\grisoft
2007-02-02 22:48 -------- d-------- C:\Program Files\mozilla firefox
2007-02-01 23:11 -------- d-------- C:\Documents and Settings\Corey\Application Data\myspace
2007-01-31 16:57 -------- d-------- C:\Program Files\trillian
2007-01-28 22:33 -------- d-------- C:\Documents and Settings\Corey\Application Data\skype
2007-01-28 12:23 -------- d-------- C:\Documents and Settings\Corey\Application Data\macromedia
2007-01-26 20:25 -------- d-------- C:\Program Files\Common Files\macromedia
2007-01-26 20:24 -------- d--h----- C:\Program Files\installshield installation information
2007-01-26 20:24 -------- d-------- C:\Program Files\macromedia
2007-01-25 20:44 -------- d-------- C:\Program Files\ea games
2007-01-25 20:38 -------- d-------- C:\Program Files\mario forever toolbar
2007-01-24 07:31 -------- d-------- C:\Documents and Settings\Corey\Application Data\pc tools
2007-01-23 19:18 -------- d-------- C:\Documents and Settings\Corey\Application Data\opera
2007-01-23 17:33 -------- d-------- C:\Documents and Settings\Corey\Application Data\adobe
2007-01-23 16:54 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-22 23:18 -------- d-------- C:\Program Files\ipod
2007-01-22 23:14 -------- d-------- C:\Program Files\apple software update
2007-01-22 22:32 -------- d-------- C:\Program Files\flash favorite
2007-01-22 19:38 -------- d-------- C:\Program Files\Common Files\real
2007-01-22 00:50 -------- d-------- C:\Documents and Settings\Corey\Application Data\adobeum
2007-01-22 00:49 -------- d-------- C:\Program Files\pokerstars
2007-01-22 00:49 -------- d-------- C:\Documents and Settings\Corey\Application Data\thunderbird
2007-01-22 00:48 -------- d-------- C:\Program Files\ulead systems
2007-01-22 00:48 -------- d-------- C:\Program Files\tgtsoft
2007-01-22 00:48 -------- d-------- C:\Program Files\interactual
2007-01-22 00:48 -------- d-------- C:\Program Files\guild wars
2007-01-22 00:48 -------- d-------- C:\Program Files\dvdsanta
2007-01-22 00:48 -------- d-------- C:\Program Files\doom 3
2007-01-22 00:35 -------- d-------- C:\Program Files\uoam
2007-01-21 09:11 -------- d-------- C:\Documents and Settings\Corey\Application Data\lavasoft
2007-01-21 09:02 724992 --a------ C:\WINDOWS\iun6002.exe
2007-01-18 15:53 -------- d-------- C:\Documents and Settings\Corey\Application Data\talkback
2007-01-18 15:53 -------- d-------- C:\Documents and Settings\Corey\Application Data\mozilla
2007-01-17 23:08 -------- d-------- C:\Documents and Settings\Corey\Application Data\google
2006-12-08 16:33 -------- d-------- C:\Program Files\razor
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 02:21 23 --a------ C:\WINDOWS\clofghls.dll
2006-12-01 18:49 88 ---hs---- C:\Documents and Settings\Corey\Application Data\.zreglib
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2006-11-04 14:14 1245696 --a------ C:\WINDOWS\system32\msxml4.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"ctpmon"="ctpmon.exe"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
@=""
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"LVCOMS"="C:\\Program Files\\Common Files\\Logitech\\QCDriver2\\LVCOMS.EXE"
"Kernel and Hardware Abstraction Layer"="KHALMNPR.EXE"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\pmbibewl.dll\",setvm"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutpPilot Control.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AutpPilot Control.lnk"
"backup"="C:\\WINDOWS\\pss\\AutpPilot Control.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{1F0DCB84-2251-45BF-8975-471539D012FD}\\_294823.exe "
"item"="AutpPilot Control"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\SetPoint.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-Aware"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Aware.exe\" +c"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG6\\avgcc32.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-Watch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boost XP Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxservice"
"hkey"="HKCU"
"command"="C:\\Program Files\\Boost XP\\bxservice.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CacheBoost]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="trayicon"
"hkey"="HKLM"
"command"="C:\\Program Files\\CacheBoost\\trayicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctpmon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctpmon"
"hkey"="HKCU"
"command"="ctpmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="itluxhys"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\itluxhys.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fdm"
"hkey"="HKCU"
"command"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1134327678\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="C:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLifeService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaLifeService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Booster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pcbooster"
"hkey"="HKLM"
"command"="C:\\Program Files\\inKline Global\\PC Booster\\pcbooster.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RFAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rfagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\RFA\\rfagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StyleXP"
"hkey"="HKCU"
"command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Monitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Weather"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.EXE 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=dword:00000002
"Roger Wilco Base Station"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"="ShellExecuteHook class"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=""
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://gr.bolt.com/games/pc/rpg/ultima_online5.gif

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_AVGASCLN

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [3120]

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 1
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-03 9:58:51

Logfile of HijackThis v1.99.1
Scan saved at 12:20:04 PM, on 2/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\Documents and Settings\Corey\Desktop\chatcher.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.3:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\qeswuoqb.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver2\LVCOMS.EXE
O4 - HKLM\..\Run: [Kernel and Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\pmbibewl.dll",setvm
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170205015385
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O18 - Protocol: bw+0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Unknown owner - C:\Program Files\CacheBoost\cbsrv.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe

ray:

chatcher · Feb 3, 2007

I have also had another problem that I dont think is related to a virus. Can you also help me on this or tell me where to post it to get some help.

that picture is from a few months ago, but it still looks the same

alba · Feb 5, 2007

Hello chatcher

Please read this post completely before beginning the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Create a new System Restore point

click Start >> Run - type SYSDM.CPL & press Enter
select the System Restore Tab
tick on the checkbox - "Turn off System Restore on all drives"
click Apply
then untick the same checkbox & click OK

===============================================

Close any open browsers.

Go to <<Start>> then <<Run>> then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /v pmbibewl leoruxoy ylepptpa irthvwrp ngxsfyxp qeswuoqb kpeudloi fmmxodm pwgxbam nefswjwu Ltkiaewh

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

=================

Restart your computer and boot into Safe Mode by hitting the F8 key repeatedly until a menu shows up (and choose Safe Mode from the list). In some systems, this may be the F5 key, so try that if F8 doesn't work. Login on your usual account. Make sure to close any open browsers.

===============================================

From Control Panel->Add/Remove Programs, uninstall the following programs, if present, :

AWS

=================

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\pmbibewl.dll",setvm
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)

Please remember to close all other windows, including browsers then click Fix checked.

===============================================

If you have not done so already, please enable the viewing of Hidden files
From Windows Explorer, go to Tools>Folder Options> View tab.

Tick - Show hidden files and folder
Untick - Hide file extensions for known types
Untick - Hide protected operating system files

Click Yes to confirm & then click OK

Locate and delete the following folders, if present:

C:\Program Files\AWS
C:\\WINDOWS\\system32\\P2P Networking

Locate and delete the following files:

C:\jtwbjak.exe
C:\iamhj.exe
C:\WINDOWS\system32\lmyrisnm.exe
C:\qinniycc.exe
C:\mnpw.exe
C:\mvyok.exe
C:\WINDOWS\system32\edeeg.ini2

=================

Please download the file attached - chatcher.zip
From within chatcher.zip, doubleclick chatcher.reg & allow it to merge with the Registry

=================

Please run the following online scan Here and post the log here

=================

Please go to: VirusTotal

At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to these files in BOLD:

C:\WINDOWS\iun6002.exe
C:\WINDOWS\iun506.exe
Click "Open".
Then click the "Send" button at the top of the VirusTotal page.
This will scan the file. Please be patient.
Once scanned, copy and paste the results in your next reply..

=================

Please Run a scan with HiJackThis and save the log

===============================================

I'd also like to see the following list:

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on the Box that says "Open Uninstall Manager"
*Click on the button "Save list"
The Uninstall list in HJT will automatically be saved to the HijackThis folder and named uninstall_list.txt.
Please Run a scan with HiJackThis and save the log

=================

In your next post, please include fresh logs from:

C:\combofix.txt
Online scan
VirusTotal scan results
HiJackThis
Uninstall list

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

chatcher · Feb 5, 2007

Problems:

* the online scan log saved in html form, sorry about that

C:\jtwbjak.exe (could not find)
C:\iamhj.exe (will not let me delete, says it is in use)

C:\WINDOWS\iun6002.exe (would not complete a full scan, I'll post what I got)

System:

boot is a little faster, still slow though

I was getting alot of pop ups before you started helping me, I do not get any pop ups now.

Still no icons on my taskbar.

Still displaying service pack test above taskbar (dont know if you were aiming for that or not)

computer is alot faster than it was though

UOMagic 7
UOMagic 7 (C:\Program Files\UOMagic\) (from the remove list)

been trying to get rid of this for a while, will not let me delete, not in program files.

logs in order:

"Corey" - 07-02-05 6:16:07 Service Pack 2
ComboFix 07.02.02 - Running from: "C:\Documents and Settings\Corey\Desktop\CompFix"

((((((((((((((((((((((((((((((( Files Created from 2007-01-05 to 2007-02-05 ))))))))))))))))))))))))))))))))))

2007-02-04 20:04 <DIR> d-------- C:\Program Files\FreeRAM
2007-02-04 18:26 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Sun
2007-02-04 16:24 565,248 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-02-04 16:24 1,171,456 --a------ C:\WINDOWS\system32\ReWire.dll
2007-02-04 16:24 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Propellerhead Software
2007-02-04 16:24 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Propellerhead Software
2007-02-04 11:50 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Syntrillium
2007-02-04 11:48 <DIR> d-------- C:\Program Files\coolpro2
2007-02-03 16:44 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-02-03 14:59 <DIR> d-------- C:\Program Files\VstPlugins
2007-02-03 14:57 <DIR> d-------- C:\Program Files\Image-Line
2007-02-03 14:25 <DIR> d-------- C:\DOCUME~1\Corey\Shared
2007-02-03 14:25 <DIR> d-------- C:\DOCUME~1\Corey\Incomplete
2007-02-03 14:23 <DIR> d-------- C:\Program Files\Java
2007-02-03 14:23 <DIR> d-------- C:\Program Files\Common Files\Java
2007-02-03 14:22 <DIR> d-------- C:\Program Files\LimeWire
2007-02-03 14:22 <DIR> d-------- C:\DOCUME~1\Corey\.limewire
2007-02-03 10:12 2,032 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-03 09:53 <DIR> d-------- C:\WINDOWS\ERDNT
2007-02-03 09:20 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-02-02 19:14 118,804 --a------ C:\WINDOWS\system32\pmbibewl.dll
2007-02-02 12:05 76,412 --a------ C:\WINDOWS\system32\leoruxoy.dll
2007-02-02 12:00 <DIR> d-------- C:\Program Files\Handheld CE Services
2007-02-01 23:11 <DIR> d-------- C:\Program Files\MySpace
2007-02-01 23:11 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\MySpace
2007-02-01 19:33 76,412 --a------ C:\WINDOWS\system32\ylepptpa.dll
2007-01-31 09:08 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-01-30 22:23 76,412 --a------ C:\WINDOWS\system32\irthvwrp.dll
2007-01-30 20:56 118,804 --a------ C:\WINDOWS\system32\ngxsfyxp.dll
2007-01-29 20:01 44,165 --a------ C:\WINDOWS\system32\qeswuoqb.dll
2007-01-26 20:39 30,208 --a--c--- C:\jtwbjak.exe
2007-01-26 20:39 0 --a--c--- C:\iamhj.exe
2007-01-26 20:35 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Macrovision
2007-01-26 20:28 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-01-25 20:07 <DIR> d-------- C:\Program Files\HijackThis
2007-01-24 21:20 353 ---hs---- C:\WINDOWS\system32\edeeg.ini2
2007-01-24 10:29 5,856 --a------ C:\WINDOWS\system32\INET16.DLL
2007-01-24 10:28 73,728 --a------ C:\WINDOWS\system32\Q_ENCLIB.DLL
2007-01-24 10:28 51,200 --a------ C:\WINDOWS\system32\Q_ENCUTL.DLL
2007-01-24 10:28 <DIR> d-------- C:\WINDOWS\Intuit
2007-01-24 10:28 <DIR> d-------- C:\Program Files\QUICKENW
2007-01-24 08:57 76,412 --a------ C:\WINDOWS\system32\kpeudloi.dll
2007-01-24 07:33 <DIR> d-a--c--- C:\DOCUME~1\ALLUSE~1\Application Data\TEMP
2007-01-24 07:31 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\PC Tools
2007-01-23 22:35 <DIR> d--hsc--- C:\WA7P
2007-01-23 22:32 8,704 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-23 22:32 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-01-23 21:04 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-23 19:18 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Opera
2007-01-23 17:38 76,412 --a------ C:\WINDOWS\system32\ltkiaewh.dll
2007-01-23 16:49 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe Systems
2007-01-23 16:49 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-01-23 16:43 96,256 --a------ C:\WINDOWS\system32\fmmxodm.dll
2007-01-23 16:33 95,744 --a------ C:\WINDOWS\system32\pwgxbam.dll
2007-01-23 15:58 88,340 --a------ C:\WINDOWS\system32\lmyrisnm.exe
2007-01-23 15:58 76,412 --a------ C:\WINDOWS\system32\nefswjwu.dll
2007-01-23 15:53 9,426 --a--c--- C:\qinniycc.exe
2007-01-23 15:53 9,426 --a--c--- C:\mnpw.exe
2007-01-23 15:53 9,394 --a--c--- C:\mvyok.exe
2007-01-23 15:45 <DIR> d-------- C:\Program Files\7-Zip
2007-01-22 23:17 <DIR> d-------- C:\Program Files\iTunes
2007-01-22 23:06 <DIR> d-------- C:\Program Files\QuickTime
2007-01-21 11:33 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Adobe
2007-01-21 09:10 <DIR> d-------- C:\Program Files\Lavasoft
2007-01-18 15:53 <DIR> d-------- C:\Program Files\Mozilla Thunderbird
2007-01-18 15:53 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Thunderbird
2007-01-18 15:53 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Talkback
2007-01-17 21:25 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Skype
2007-01-17 19:56 <DIR> d-------- C:\Program Files\Skype
2007-01-13 14:43 <DIR> d-------- C:\WINDOWS\ie7updates
2007-01-12 21:35 <DIR> d-------- C:\WINDOWS\WBEM
2007-01-12 21:34 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\Application Data\Google
2007-01-12 21:34 <DIR> d-------- C:\WINDOWS\system32\en-US
2007-01-12 21:34 <DIR> d-------- C:\DOCUME~1\Corey\Application Data\Google
2007-01-12 21:31 <DIR> d--h-c--- C:\WINDOWS\ie7
2007-01-12 21:25 121,856 --------- C:\WINDOWS\system32\xmllite.dll
2007-01-12 21:25 <DIR> d-------- C:\Program Files\Google
2007-01-12 21:18 <DIR> d-------- C:\WINDOWS\network diagnostic

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-05 06:07 -------- d-------- C:\Program Files\mozilla firefox
2007-02-04 18:12 -------- d-------- C:\Program Files\nvu
2007-02-04 18:09 -------- d-------- C:\Program Files\mario forever
2007-02-04 18:08 -------- d-------- C:\Program Files\labtec
2007-02-04 18:05 -------- d--h----- C:\Program Files\installshield installation information
2007-02-04 11:40 -------- d-------- C:\Program Files\trillian
2007-02-03 12:54 -------- d-------- C:\DOCUME~1\Corey\Application Data\msn6
2007-02-03 12:49 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-02-03 09:20 -------- d-------- C:\Program Files\grisoft
2007-01-28 12:23 -------- d-------- C:\DOCUME~1\Corey\Application Data\macromedia
2007-01-26 20:25 -------- d-------- C:\Program Files\Common Files\macromedia
2007-01-26 20:24 -------- d-------- C:\Program Files\macromedia
2007-01-25 20:44 -------- d-------- C:\Program Files\ea games
2007-01-25 20:38 -------- d-------- C:\Program Files\mario forever toolbar
2007-01-23 17:33 -------- d-------- C:\DOCUME~1\Corey\Application Data\adobe
2007-01-23 16:54 -------- d-------- C:\Program Files\Common Files\adobe
2007-01-22 23:18 -------- d-------- C:\Program Files\ipod
2007-01-22 23:14 -------- d-------- C:\Program Files\apple software update
2007-01-22 22:32 -------- d-------- C:\Program Files\flash favorite
2007-01-22 19:38 -------- d-------- C:\Program Files\Common Files\real
2007-01-22 00:50 -------- d-------- C:\DOCUME~1\Corey\Application Data\adobeum
2007-01-22 00:49 -------- d-------- C:\Program Files\pokerstars
2007-01-22 00:48 -------- d-------- C:\Program Files\ulead systems
2007-01-22 00:48 -------- d-------- C:\Program Files\tgtsoft
2007-01-22 00:48 -------- d-------- C:\Program Files\interactual
2007-01-22 00:48 -------- d-------- C:\Program Files\guild wars
2007-01-22 00:48 -------- d-------- C:\Program Files\dvdsanta
2007-01-22 00:48 -------- d-------- C:\Program Files\doom 3
2007-01-22 00:35 -------- d-------- C:\Program Files\uoam
2007-01-21 09:11 -------- d-------- C:\DOCUME~1\Corey\Application Data\lavasoft
2007-01-21 09:02 724992 --a------ C:\WINDOWS\iun6002.exe
2007-01-18 15:53 -------- d-------- C:\DOCUME~1\Corey\Application Data\mozilla
2006-12-08 16:33 -------- d-------- C:\Program Files\razor
2006-12-07 01:40 2362184 --a------ C:\WINDOWS\system32\wmvcore.dll
2006-12-03 02:21 23 --a--c--- C:\WINDOWS\clofghls.dll
2006-12-01 18:49 88 ---hsc--- C:\DOCUME~1\Corey\Application Data\.zreglib
2006-11-08 00:06 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-11-07 21:03 6049280 --------- C:\WINDOWS\system32\ieframe.dll
2006-11-07 21:03 50688 --------- C:\WINDOWS\system32\msfeedsbs.dll
2006-11-07 21:03 458752 --------- C:\WINDOWS\system32\msfeeds.dll
2006-11-07 21:03 413696 --a------ C:\WINDOWS\system32\vbscript.dll
2006-11-07 21:03 231424 --a------ C:\WINDOWS\system32\webcheck.dll
2006-11-07 21:03 180736 --------- C:\WINDOWS\system32\ieui.dll
2006-11-07 21:03 156160 --a------ C:\WINDOWS\system32\msls31.dll
2006-11-07 03:27 382976 --a------ C:\WINDOWS\system32\iedkcs32.dll
2006-11-07 03:27 229376 --a------ C:\WINDOWS\system32\ieaksie.dll
2006-11-07 03:26 71680 --a------ C:\WINDOWS\system32\admparse.dll
2006-11-07 03:26 55296 --a------ C:\WINDOWS\system32\iesetup.dll
2006-11-07 03:26 54784 --a------ C:\WINDOWS\system32\ie4uinit.exe
2006-11-07 03:26 43008 --a------ C:\WINDOWS\system32\iernonce.dll
2006-11-07 03:26 152064 --a------ C:\WINDOWS\system32\ieakeng.dll
2006-11-07 03:26 13312 --a------ C:\WINDOWS\system32\ieudinit.exe
2006-11-07 03:26 123904 --a------ C:\WINDOWS\system32\advpack.dll
2006-11-07 03:25 161792 --a------ C:\WINDOWS\system32\ieakui.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\ADingOD FreeRAM]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\system32\\pmbibewl.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"NoChange"="1"
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^AutpPilot Control.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\AutpPilot Control.lnk"
"backup"="C:\\WINDOWS\\pss\\AutpPilot Control.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{1F0DCB84-2251-45BF-8975-471539D012FD}\\_294823.exe "
"item"="AutpPilot Control"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech Desktop Messenger.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech Desktop Messenger.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech Desktop Messenger.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\DESKTO~1\\8876480\\Program\\LDMConf.exe /start"
"item"="Logitech Desktop Messenger"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Logitech SetPoint.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Logitech SetPoint.lnk"
"backup"="C:\\WINDOWS\\pss\\Logitech SetPoint.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Logitech\\SetPoint\\SetPoint.exe "
"item"="Logitech SetPoint"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ad-Aware]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-Aware"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Aware.exe\" +c"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ADingOD FreeRAM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="freeram"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\FreeRAM\\freeram.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="atiptaxx"
"hkey"="HKLM"
"command"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG_CC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="avgcc32"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Grisoft\\AVG6\\avgcc32.exe /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AWMON]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ad-Watch"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Lavasoft\\Ad-Aware SE Plus\\Ad-Watch.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Boost XP Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bxservice"
"hkey"="HKCU"
"command"="C:\\Program Files\\Boost XP\\bxservice.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CacheBoost]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="trayicon"
"hkey"="HKLM"
"command"="C:\\Program Files\\CacheBoost\\trayicon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctpmon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctpmon"
"hkey"="HKCU"
"command"="ctpmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="itluxhys"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\itluxhys.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Free Download Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="fdm"
"hkey"="HKCU"
"command"="C:\\Program Files\\Free Download Manager\\fdm.exe -autorun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1134327678\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ICQ Lite]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ICQLite"
"hkey"="HKLM"
"command"="C:\\Program Files\\ICQLite\\ICQLite.exe -minimize"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iTunesHelper"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Kernel and Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LogitechDesktopMessenger"
"hkey"="HKCU"
"command"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="KHALMNPR"
"hkey"="HKLM"
"command"="KHALMNPR.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LVCOMS"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Logitech\\QCDriver2\\LVCOMS.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaLifeService]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MediaLifeService"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Logitech\\MediaLife\\MediaLifeService.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmtask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mmtask.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mm_tray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Musicmatch\\Musicmatch Jukebox\\mm_tray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MySpaceIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="MySpaceIM"
"hkey"="HKCU"
"command"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\P2P Networking]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="P2P Networking"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\P2P Networking\\P2P Networking.exe /AUTOSTART"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PC Booster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pcbooster"
"hkey"="HKLM"
"command"="C:\\Program Files\\inKline Global\\PC Booster\\pcbooster.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RealPlay"
"hkey"="HKLM"
"command"="C:\\Program Files\\Real\\RealPlayer\\RealPlay.exe SYSTEMBOOTHIDEPLAYER"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RFAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="rfagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\RFA\\rfagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Steam"
"hkey"="HKCU"
"command"="C:\\Valve\\Steam\\Steam.exe -silent"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STYLEXP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StyleXP"
"hkey"="HKCU"
"command"="C:\\Program Files\\TGTSoft\\StyleXP\\StyleXP.exe -Hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead AutoDetector]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Monitor"
"hkey"="HKLM"
"command"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Weather"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\AWS\\WEATHE~1\\Weather.EXE 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"StyleXPService"=dword:00000002
"Roger Wilco Base Station"=dword:00000002

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{FE24CD78-7C63-465D-8787-4EDF7FC79895}"="ShellExecuteHook class"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"MySpaceIM"="C:\\Program Files\\MySpace\\IM\\MySpaceIM.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0

*newlycreated* - HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\LEGACY_ENTDRV51

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

? [2136]
? [2652]
? [2680]

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 3
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-05 6:23:52

BitDefender Online Scanner

Scan report generated at: Mon, Feb 05, 2007 - 08:21:49

Scan path: A:\;C:\;D:\;E:\;F:\;

Statistics

Time

01:09:45

Files

323588

Folders

6521

Boot Sectors

3

Archives

1417

Packed Files

28037

Results

Identified Viruses

8

Infected Files

19

Suspect Files

0

Warnings

0

Disinfected

0

Deleted Files

19

Engines Info

Virus Definitions

418600

Engine build

AVCORE v1.0 (build 2371) (i386) (Dec 13 2006 11:16:42)

Scan plugins

14

Archive plugins

38

Unpack plugins

6

E-mail plugins

6

System plugins

1

Scan Settings

First Action

Disinfect

Second Action

Delete

Heuristics

Yes

Enable Warnings

Yes

Scanned Extensions

*;

Exclude Extensions

Scan Emails

Yes

Scan Archives

Yes

Scan Packed

Yes

Scan Files

Yes

Scan Boot

Yes

Scanned File

Status

C:\Documents and Settings\Corey\Local Settings\Application Data\pwgxbam.dll

Infected with: Trojan.Obfus.Gen

C:\Documents and Settings\Corey\Local Settings\Application Data\pwgxbam.dll

Disinfection failed

C:\Documents and Settings\Corey\Local Settings\Application Data\pwgxbam.dll

Deleted

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213939.exe

Infected with: BehavesLike:Win32.ExplorerHijack

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213939.exe

Disinfection failed

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213939.exe

Deleted

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213940.exe

Infected with: Trojan.Spy.Sheriff.C

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213940.exe

Disinfection failed

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213940.exe

Deleted

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213941.exe

Infected with: Trojan.Spy.Sheriff.C

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213941.exe

Disinfection failed

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213941.exe

Deleted

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213942.exe

Infected with: Trojan.Spy.Sheriff.C

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213942.exe

Disinfection failed

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213942.exe

Deleted

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213943.exe

Infected with: Trojan.Agent.ACL

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213943.exe

Disinfection failed

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0213943.exe

Deleted

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0214955.dll

Infected with: Trojan.Obfus.Gen

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0214955.dll

Disinfection failed

C:\System Volume Information\_restore{67F4ED9F-3445-416B-8AE8-C29F951BB178}\RP914\A0214955.dll

Deleted

C:\WINDOWS\system32\fmmxodm.dll

Infected with: Trojan.Obfus.Gen

C:\WINDOWS\system32\fmmxodm.dll

Disinfection failed

C:\WINDOWS\system32\fmmxodm.dll

Deleted

C:\WINDOWS\system32\irthvwrp.dll

Infected with: Trojan.Spy.VBStat.B

C:\WINDOWS\system32\irthvwrp.dll

Deleted

C:\WINDOWS\system32\kpeudloi.dll

Infected with: Trojan.Spy.VBStat.B

C:\WINDOWS\system32\kpeudloi.dll

Deleted

C:\WINDOWS\system32\leoruxoy.dll

Infected with: Trojan.Spy.VBStat.B

C:\WINDOWS\system32\leoruxoy.dll

Deleted

C:\WINDOWS\system32\ltkiaewh.dll

Infected with: Trojan.Spy.VBStat.B

C:\WINDOWS\system32\ltkiaewh.dll

Deleted

C:\WINDOWS\system32\nefswjwu.dll

Infected with: Trojan.Spy.VBStat.B

C:\WINDOWS\system32\nefswjwu.dll

Deleted

C:\WINDOWS\system32\ngxsfyxp.dll

Infected with: Trojan.Virtumod.EB

C:\WINDOWS\system32\ngxsfyxp.dll

Disinfection failed

C:\WINDOWS\system32\ngxsfyxp.dll

Deleted

C:\WINDOWS\system32\pmbibewl.dll

Infected with: Trojan.Virtumod.EB

C:\WINDOWS\system32\pmbibewl.dll

Disinfection failed

C:\WINDOWS\system32\pmbibewl.dll

Deleted

C:\WINDOWS\system32\pwgxbam.dll

Infected with: Trojan.Obfus.Gen

C:\WINDOWS\system32\pwgxbam.dll

Disinfection failed

C:\WINDOWS\system32\pwgxbam.dll

Deleted

C:\WINDOWS\system32\qeswuoqb.dll

Infected with: Trojan.Juan.E

C:\WINDOWS\system32\qeswuoqb.dll

Disinfection failed

C:\WINDOWS\system32\qeswuoqb.dll

Deleted

C:\WINDOWS\system32\ylepptpa.dll

Infected with: Trojan.Spy.VBStat.B

C:\WINDOWS\system32\ylepptpa.dll

Deleted

C:\WINDOWS\unlite.exe

Infected with: [email protected]

C:\WINDOWS\unlite.exe

Disinfection failed

C:\WINDOWS\unlite.exe

Deleted

----------------

Antivirus Version Update Result
AntiVir 7.3.1.34 02.05.2007 no virus found
Authentium 4.93.8 02.03.2007 no virus found
Avast 4.7.936.0 02.05.2007 no virus found
AVG 386 02.04.2007 no virus found
BitDefender 7.2 02.05.2007 no virus found
CAT-QuickHeal 9.00 02.03.2007 no virus found
ClamAV devel-20060426 02.04.2007 no virus found
DrWeb 4.33 02.05.2007 no virus found
eSafe 7.0.14.0 02.05.2007 no virus found
eTrust-InoculateIT 30.4.3370 02.05.2007 no virus found
eTrust-Vet 30.4.3370 02.05.2007 no virus found
Ewido 4.0 02.04.2007 no virus found
Fortinet 2.85.0.0 02.05.2007 no virus found
F-Prot 4.2.1.29 02.03.2007 no virus found
Ikarus T3.1.0.31 02.05.2007 no virus found
Kaspersky 4.0.2.24 02.05.2007 no virus found
McAfee 4955 02.02.2007 no virus found
Microsoft 1.2101 02.05.2007 no virus found
NOD32v2 2037 02.05.2007 no virus found
Norman 5.80.02 02.02.2007 no virus found
Panda 9.0.0.4 02.04.2007 no virus found
Aditional Information
File size: 724992 bytes
MD5: 9433d5ac20edcf7d39c454fe2f67b43d
SHA1: b46be8abecd975d942bf28987bbda8686f079838

Antivirus Version Update Result
AntiVir 7.3.1.34 02.05.2007 no virus found
Authentium 4.93.8 02.03.2007 no virus found
Avast 4.7.936.0 02.05.2007 no virus found
AVG 386 02.04.2007 no virus found
BitDefender 7.2 02.05.2007 no virus found
CAT-QuickHeal 9.00 02.03.2007 no virus found
ClamAV devel-20060426 02.04.2007 no virus found
DrWeb 4.33 02.05.2007 no virus found
eSafe 7.0.14.0 02.05.2007 no virus found
eTrust-InoculateIT 30.4.3370 02.05.2007 no virus found
eTrust-Vet 30.4.3370 02.05.2007 no virus found
Ewido 4.0 02.04.2007 no virus found
Fortinet 2.85.0.0 02.05.2007 no virus found
F-Prot 4.2.1.29 02.03.2007 no virus found
Ikarus T3.1.0.31 02.05.2007 no virus found
Kaspersky 4.0.2.24 02.05.2007 no virus found
McAfee 4955 02.02.2007 no virus found
Microsoft 1.2101 02.05.2007 no virus found
NOD32v2 2037 02.05.2007 no virus found
Norman 5.80.02 02.02.2007 no virus found
Panda 9.0.0.4 02.04.2007 no virus found
Prevx1 V2 02.05.2007 no virus found
Sophos 4.13.0 02.05.2007 no virus found
Sunbelt 2.2.907.0 02.02.2007 no virus found
Symantec 10 02.05.2007 no virus found
TheHacker 6.1.6.052 02.05.2007 no virus found
UNA 1.83 02.03.2007 no virus found
VBA32 3.11.2 02.04.2007 no virus found
VirusBuster 4.3.19:9 02.04.2007 no virus found
Aditional Information
File size: 0 bytes
MD5: d41d8cd98f00b204e9800998ecf8427e
SHA1: da39a3ee5e6b4b0d3255bfef95601890afd80709

Logfile of HijackThis v1.99.1
Scan saved at 8:24:48 AM, on 2/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Office\Office\WINWORD.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Corey\Desktop\CompFix\chatcher.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 192.168.1.3:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\qeswuoqb.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll (file missing)
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &ICQ Toolbar Search - res://C:\Program Files\ICQToolbar\toolbaru.dll/SEARCH.HTML
O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=36467&clcid=0x409
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1170205015385
O16 - DPF: {FB48C7B0-EB66-4BE6-A1C5-9DDF3C37249A} (MCSendMessageHandler Class) - http://xtraz.icq.com/xtraz/activex/MISBH.cab
O18 - Protocol: bw+0 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O18 - Protocol: offline-8876480 - {0822A09E-5F4F-4FF3-8DF8-3F80044DD24B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\BWPlugProtocol-8876480.dll
O20 - Winlogon Notify: LBTWlgn - c:\program files\common files\logitech\bluetooth\LBTWlgn.dll
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: CacheBoost Performance Optimizer and Tuner Service (CacheBoost Service) - Unknown owner - C:\Program Files\CacheBoost\cbsrv.exe (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTSERV.EXE
O23 - Service: Logitech Easy Synchronization - Unknown owner - C:\Program Files\Logitech\Easy Synchronization\servicestub.exe (file missing)
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: O&O Defrag - Unknown owner - C:\WINDOWS\system32\oodag.exe (file missing)

7-Zip 4.42
Ad-Aware SE Plus
Adobe Flash Player 9 ActiveX
Adobe Photoshop 6.0 Tryout
Adobe Reader 7.0.9
Adobe Shockwave Player
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
ATI HydraVision
AVG Anti-Spyware 7.5
BlackBerry Desktop Software 4.1.1
BlackBerry Desktop Software 4.1.1
BlackBerry v4.1.0 for the 7130 Series Wireless Device
Broadcom Driver Installer
CleanUp!
Color LaserJet 2600n
Conexant D850 56K V.9x DFVc Modem
DiskeeperWorkstation
DVD Decoder Pak for Windows XP
EPSON Printer Software
FL Studio 5
FreeRAM
Google Earth
GTK+ 2.8.18-1 runtime environment
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
ICQ Toolbar
Image Resizer Powertoy for Windows XP
Intel(R) PRO Ethernet Adapter and Software
iPod for Windows 2005-10-12
iTunes
J2SE Runtime Environment 5.0 Update 10
J2SE Runtime Environment 5.0 Update 3
KhalSetup
Lavasoft VX2 Cleaner
LimeWire 4.12.11
Logitech Desktop Messenger
Logitech SetPoint
Macromedia Flash MX 2004
McAfee VirusScan Enterprise
MediaLife
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Microsoft Data Access Components KB870669
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Visual C++ 2005 Redistributable
Microsoft Windows Journal Viewer
Mobile Phone Suite Easy Synchronization
Mozilla Firefox (1.5.0.9)
Mozilla Thunderbird (1.5)
MP3 Player
MSXML 4.0 SP2 (KB927978)
Musicmatch® Jukebox
MySpaceIM
Nero 6 Enterprise Edition
NVIDIA Display Driver
QuickTime
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922760)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925454)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB926255)
Skype 3.0
Slideshow Generator Powertoy for Windows XP
Spybot - Search & Destroy 1.3
TopStyle Lite (Version 1.5)
Trillian
Tweakui Powertoy for Windows XP
Ulead Photo Explorer 8.0 SE Basic
UOMagic 7
UOMagic 7 (C:\Program Files\UOMagic\)
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Ventrilo Client
Viewpoint Media Player
Voice Recorder v1.0
WIDCOMM Bluetooth Software
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Media Encoder 9 Series
Windows Media Encoder 9 Series
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip

alba · Feb 6, 2007

Hello chatcher

Please read this post completely before begining the fix. If there's anything that you do not understand, kindly ask your questions before proceeding. Please ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

P2P - I see you have P2P software ( Limewire ) installed on your machine. We are not here to pass judgment on file-sharing as a concept. However, we will warn you that engaging in this activity and having this kind of software installed on your machine will always make you more susceptible to re-infections. It may be contributing to your current situation. This page will give you further information.

Please do the following
Right Click on an open area on the taskbar>toolbars and 'check' QuickLaunch.

IT IS IMPORTANT THAT YOU DON'T MISS A STEP & PERFORM EVERYTHING IN THE RIGHT ORDER.

===============================================

Additional Downloads

Please download these additional files/programs. Do not run them until instructed to do so.
Unless otherwise stated, they should be stored in same directory as the HiJackThis program.

=================

Please download OTMoveIt by OldTimer:

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\jtwbjak.exe
C:\iamhj.exe
C:\qinniycc.exe
C:\mnpw.exe
C:\mvyok.exe
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\rpcc.dll
Return to OTMoveIt, right click on the Paste List of Files/Folders to be moved window and choose Paste.
Click the red MoveIt! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it on your next reply.
Close OTMoveIt.

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

=================

Run a scan with HiJackThis & select/tick the following & click "Fix checked" :

O2 - BHO: (no name) - {68D5CF1D-EC5C-4bdd-A9EF-F0E517565D50} - C:\WINDOWS\system32\qeswuoqb.dll (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll

Please remember to close all other windows, including browsers then click Fix checked.

===============================================

Please download the file attached - regdel.zip
From within regdel.zip, doubleclick regdel.reg & allow it to merge with the Registry

=================

Establish an internet connection & perform an online scan with Internet Explorer at Kaspersky Online Scanner

Answer Yes, when prompted to install an ActiveX component.

The program will then begin downloading the latest definition files.
Once the files have been downloaded click on NEXT
Locate the Scan Settings button & configure to:
- Scan using the following Anti-Virus database:
  - Extended
- Scan Options:
  - Scan Archives
    [*]Scan Mail Bases
Click OK & have it scan My Computer
Once the scan is complete, it will display if your system has been infected. It does not provide an option to clean/disinfect. We only require a report from it.
Click the Save as Text button to save the file to your desktop so that you may post it in your next reply

* Turn off the real time scanner of any existing antivirus program while performing the online scan

===============================================

Download gmer from http://www.gmer.net & unzip it to desktop

Launch gmer.exe by double-clicking it. Select the rootkit tab & make sure the 'Show All' button is unticked.

Press scan & when it has finished press copy & paste the log back here

====================

Run combofix once again in the following manner:

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Post the ComboFix.txt in your next reply.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

=================

Open HijackThis
*Click on the "Configure" button on the bottom right
*Click on the tab "Misc Tools"
*Click on UOMagic 7 in the pane on the left
*Click on the button "Delete this entry"
Please do the same for UOMagic 7 (C:\Program Files\UOMagic\)
Please Run a scan with HiJackThis and save the log

===============================================

In your next post, please include fresh logs from:

Online scan
gmer log
C:\ComboFix.txt
HiJackThis

Please provide details of any problems you encountered whilst performing the above steps & update us on how the computer behaves now

chatcher · Feb 6, 2007

Before I do that I am having a problem, that jsut started happening after the last fix. It is causeing my wireless connection to go crazy.

I am getting that message every few seconds, no matter what I do it still comes up.

Ried · Feb 6, 2007

I'll step in here for a moment to keep you moving.

Your system is still infected and that error may be a result of those infections. Please continue and carry out the latest set of instructions from alba. Let us know if that error still persists in your next reply--make sure to supply all logs requested.

chatcher · Feb 6, 2007

===============================================

Please download the file attached - regdel.zip
From within regdel.zip, doubleclick regdel.reg & allow it to merge with the Registry

=================

I dont see that

alba · Feb 6, 2007

I really am sorry chatcher I had internet problems this morning, while I was posting the reply.

Please find regdel attached

thank you for your patience

alba

chatcher · Feb 6, 2007

whatever step you just had me do just destroyed my computer

=================

Please download OTMoveIt by OldTimer:
Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\jtwbjak.exe
C:\iamhj.exe
C:\qinniycc.exe
C:\mnpw.exe
C:\mvyok.exe
C:\WINDOWS\system32\edeeg.ini2
C:\WINDOWS\system32\rpcc.dll

Return to OTMoveIt, right click on the Paste List of Files/Folders to be moved window and choose Paste.
Click the red MoveIt! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy), and paste it on your next reply.
Close OTMoveIt.

right after that my computer crashed, I have tried every way to get it back on and i jsut get a blue screen right after it says "windows is starting up"

trojans?

Registered

Registered

Registered

Registered

Registered

Registered

Registered

TSF Security Manager, Emeritus

Registered

TSF Security Manager, Emeritus

Registered

Registered

Registered

Attachments

Registered

Registered

Registered

TSF Security Manager, Emeritus

Registered

Registered

Attachments

Registered