View Full Version : Internet and computer down!
ArbysOvenMitt
4 Nov 2007, 12:10am
To start off, I have no anti-virus software on my computer and no firewall. I'm generally good at avoiding situations where it's needed at all, and went like this for years. I was browsing on Internet Explorer, just to remind myself why I hated it (I've used Firefox since its inception) and voila, got myself a platter of viruses.
I do have adawareSE and scanned a few times in safe mode, which got rid of a couple hundred things, but the problem is I can no longer connect to the internet at all on my computer. Also, whenever I try to get on without Safe Mode I can get to the desktop (usually), but Services.exe runs at 100% and I can't do ANYTHING (I've tried installing Norton, etc, to no avail). So I'm stuck in safe mode, without internet, and I can't think of any options at the moment. Any help would be greatly appreciated.
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:00:29 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Safe mode
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\Documents and Settings\Administrator\Application Data\U3\00001557D860B125\LaunchPad.exe
E:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe
E:\WINDOWS\system32\ctfmon.exe
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htepo.com/cehpmoin/?cmp=hmr&lid=5_1&gai=hamm_h4_pop&gli=pop_1&affid=68089&nid=h4&uid=f8075f49
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - E:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: 0 - {0DBC8C01-05C0-452B-58BE-CE96FE520B72} - (no file)
O2 - BHO: (no name) - {266f5bb8-aa10-454c-a021-7ea7c0712fe4} - E:\WINDOWS\system32\kaioesw.dll
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - E:\Program Files\Nodrqkjo\iejnsqru.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {37C39123-5ED3-472E-90C5-5A960BB4F182} - E:\Program Files\Internet Explorer\horeforec83122.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5D32219E-1571-40C9-9E64-2E0DEF408469} - E:\Program Files\Internet Explorer\horeforec4444.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6AE7F116-2E51-440D-BABB-9E7CCAEC881F} - E:\Program Files\Internet Explorer\horeforec555077.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - E:\WINDOWS\system32\yayxyxy.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - E:\WINDOWS\system32\cwkovxiv.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - E:\WINDOWS\system32\igotsovh.dll
O2 - BHO: (no name) - {B66A3361-38B4-4895-A5CD-E03AFEA50D7E} - E:\WINDOWS\system32\awvtt.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - E:\WINDOWS\system32\bronto.dll
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - E:\Program Files\E404 Helper\e404.v1.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - E:\WINDOWS\system32\igotsovh.dll
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O17 - HKLM\System\CCS\Services\Tcpip\..\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}: NameServer = 85.255.115.68,85.255.112.171
O17 - HKLM\System\CCS\Services\Tcpip\..\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}: NameServer = 85.255.115.68,85.255.112.171
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.171
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.68 85.255.112.171
O20 - AppInit_DLLs: E:\WINDOWS\system32\skuns.dat
O20 - Winlogon Notify: igotsovh - E:\WINDOWS\SYSTEM32\igotsovh.dll
O20 - Winlogon Notify: winrkp32 - E:\WINDOWS\SYSTEM32\winrkp32.dll
O20 - Winlogon Notify: yayxyxy - E:\WINDOWS\SYSTEM32\yayxyxy.dll
O20 - Winlogon Notify: __c007BCA1 - E:\WINDOWS\system32\__c007BCA1.dat
O21 - SSODL: VzBAB - {F8075F4A-52AD-F5E0-7426-BEB4C599B277} - (no file)
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - E:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - E:\WINDOWS\System32\browseui.dll
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
--
End of file - 6536 bytes
One thing I did notice is that I got the "antispyware" virus where it spams my computer with pop ups telling me I have a virus or trojan and to "click here" to get antivirus software... while it's mildly amusing, the fact that it runs during Safe Mode freaks me out.
I have windows XP with SP 2.
Hi ArbysOvenMitt and Welcome to Icrontic :)
Your log is very dirty :(
But start the cleaning!
Step 1
Download a newest version on HijackThis and delete your existing version because it's out of date. You can download newest version from here (http://downloads.malwareremoval.com/HijackThis.exe). Create a new folder named HijackThis to your Local drive (E), move HijackThis.exe into that folder.
Step 2
WAREOUT
You may want to print out these instructions for reference, since you will have to restart your computer during the fix.
Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe
Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin;
follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.
At the end of the fix, you may need to restart your computer again.
Post back the contents of the logfile C:\fixwareout\report.txt.
Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems.
Step 3
Please download SmitfraudFix (http://siri.urz.free.fr/Fix/SmitfraudFix.exe) (by S!Ri)
Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm (http://www.beyondlogic.org/consulting/processutil/processutil.htm)
Step 4
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Step 5
Open HijackThis, press Do a system scan only, checkmark these lines:
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://htepo.com/cehpmoin/?cmp=hmr&l...4&uid=f8075f49
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {00000000-d9e3-4bc6-a0bd-3d0ca4be5271} - (no file)
O2 - BHO: (no name) - {029e02f0-a0e5-4b19-b958-7bf2db29fb13} - (no file)
O2 - BHO: 0 - {0DBC8C01-05C0-452B-58BE-CE96FE520B72} - (no file)
O2 - BHO: (no name) - {2A8C2C57-93A7-0675-5A40-098909C6F6CC} - E:\Program Files\Nodrqkjo\iejnsqru.dll (file missing)
O2 - BHO: (no name) - {2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71} - (no file)
O2 - BHO: (no name) - {37C39123-5ED3-472E-90C5-5A960BB4F182} - E:\Program Files\Internet Explorer\horeforec83122.dll (file missing)
O2 - BHO: (no name) - {51641ef3-8a7a-4d84-8659-b0911e947cc8} - (no file)
O2 - BHO: (no name) - {54645654-2225-4455-44A1-9F4543D34546} - (no file)
O2 - BHO: (no name) - {5D32219E-1571-40C9-9E64-2E0DEF408469} - E:\Program Files\Internet Explorer\horeforec4444.dll (file missing)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {6abc861a-31e7-4d91-b43b-d3c98f22a5c0} - (no file)
O2 - BHO: (no name) - {6AE7F116-2E51-440D-BABB-9E7CCAEC881F} - E:\Program Files\Internet Explorer\horeforec555077.dll (file missing)
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - (no file)
O2 - BHO: (no name) - {a4a435cf-3583-11d4-91bd-0048546a1450} - (no file)
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {c2680e10-1655-4a0e-87f8-4259325a84b7} - (no file)
O2 - BHO: (no name) - {c4ca6559-2cf1-48b6-96b2-8340a06fd129} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {d8efadf1-9009-11d6-8c73-608c5dc19089} - (no file)
O2 - BHO: (no name) - {e9147a0a-a866-4214-b47c-da821891240f} - (no file)
O2 - BHO: (no name) - {e9306072-417e-43e3-81d5-369490beef7c} - (no file)
O2 - BHO: e404 helper - {F10587E9-0E47-4CBE-84AE-7DD20B8684BB} - E:\Program Files\E404 Helper\e404.v1.dll (file missing)
Then close all windows and press Fix checked.
Step 6
Try to boot your computer to normal mode, and tell me how it working :)
And Please post a fresh HijackThis log, FixWareout log, Smitfraudfix log and Combofix log :)
Note. use newest version of Hijackthis, when scanning for.
ArbysOvenMitt
4 Nov 2007, 02:16am
Hey, I did the steps and here are the logs of each runthrough for the first time.
Username "Administrator" - 11/03/2007 21:36:59 [Fixwareout edited 9/01/2007]
~~~~~ Prerun check
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
"nameserver"="85.255.115.68 85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces \{1C2AC9C1-313B-4D54-9740-178F7E21FD32}
"nameserver"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces \{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}
"nameserver"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces \{1AA3325F-78EF-4EC6-B7E8-D5D67CD015BA}
"DhcpNameServer"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces \{1C2AC9C1-313B-4D54-9740-178F7E21FD32}
"DhcpNameServer"="85.255.115.68,85.255.112.171" <Value cleared.
HKEY_LOCAL_MACHINE\system\currentcontrolset\services\tcpip\parameters\interfaces \{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}
"DhcpNameServer"="85.255.115.68,85.255.112.171" <Value cleared.
System was rebooted successfully.
~~~~~ Postrun check
HKLM\SOFTWARE\~\Winlogon\ "System"=""
....
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
E:\WINDOWS\System32\mzvzo.exe Deleted
....
~~~~~ Misc files.
E:\WINDOWS\System32\kernel32.exe Deleted
....
~~~~~ Checking for older varients.
....
~~~~~ Current runs (hklm hkcu "run" Keys Only)
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="E:\\WINDOWS\\PCHealth\\HelpCtr\\Binaries\\MSConfig.exe /auto"
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\\WINDOWS\\system32\\ctfmon.exe"
....
Hosts file was reset, If you use a custom hosts file please replace it...
~~~~~ End report ~~~~~
SmitFraudFix v2.247
Scan done at 21:43:56.03, Sat 11/03/2007
Run from E:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\cmd.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» E:\
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32
E:\WINDOWS\system32\bronto.dll FOUND !
E:\WINDOWS\system32\proper.exe FOUND !
E:\WINDOWS\system32\skuns.dat FOUND !
E:\WINDOWS\system32\winter.exe FOUND !
»»»»»»»»»»»»»»»»»»»»»»»» E:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\Administrator
»»»»»»»»»»»»»»»»»»»»»»»» E:\Documents and Settings\Administrator\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» E:\DOCUME~1\ADMINI~1\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» E:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"="E:\\WINDOWS\\system32\\skuns.dat"
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Rustock
»»»»»»»»»»»»»»»»»»»»»»»» DNS
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1AA3325F-78EF-4EC6-B7E8-D5D67CD015BA}: DhcpNameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}: DhcpNameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{1C2AC9C1-313B-4D54-9740-178F7E21FD32}: NameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}: DhcpNameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\..\{730AD8DC-9E50-4A6B-8ED4-6FFCFFCEFDB7}: NameServer=85.255.115.68,85.255.112.171
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: NameServer=85.255.115.68 85.255.112.171
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
ComboFix 07-11-01.1 - Administrator 2007-11-03 21:46:29.1 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.813 [GMT -5:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
E:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
E:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
E:\Documents and Settings\All Users.\documents\settings
E:\Documents and Settings\All Users.\documents\settings\desktop.ini
E:\Documents and Settings\All Users\Application Data.\mdqpituh.dll
E:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
E:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
E:\Documents and Settings\Freshly\Application Data\install.dat
E:\Documents and Settings\Freshly\Desktop\bravesentry.lnk
E:\Documents and Settings\Freshly\Desktop\Live Safety Center.lnk
E:\Documents and Settings\Freshly\Desktop\Online Security Guide.lnk
E:\Documents and Settings\Freshly\Favorites\Online Security Guide.lnk
E:\Documents and Settings\Freshly\Local Settings\Application Data\n.ini
E:\Documents and Settings\Freshly\Start Menu\Programs\Brave-Sentry
E:\Documents and Settings\Freshly\Start Menu\Programs\Brave-Sentry\BraveSentry.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Brave-Sentry\Uninstall.lnk
E:\Documents and Settings\LocalService\Application Data\NetMon
E:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
E:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
E:\Documents and Settings\NetworkService\Application Data\NetMon
E:\Documents and Settings\NetworkService\Application Data\NetMon\domains.txt
E:\Documents and Settings\NetworkService\Application Data\NetMon\log.txt
E:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
E:\WINDOWS\b122.exe
E:\WINDOWS\racle~1
E:\WINDOWS\racle~1\?racle\
E:\WINDOWS\system32\__c007BCA1.dat
E:\WINDOWS\system32\__c00A4C63.dat
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\a13
E:\WINDOWS\system32\aspimgr.exe
E:\WINDOWS\system32\away.exe.exe
E:\WINDOWS\system32\awvtt.dll
E:\WINDOWS\system32\bicuoohm.ini
E:\WINDOWS\system32\cwkovxiv.dll
E:\WINDOWS\system32\dllh8jkd1q1.exe
E:\WINDOWS\system32\dllh8jkd1q2.exe
E:\WINDOWS\system32\dllh8jkd1q5.exe
E:\WINDOWS\system32\dllh8jkd1q6.exe
E:\WINDOWS\system32\dllh8jkd1q7.exe
E:\WINDOWS\system32\dllh8jkd1q8.exe
E:\WINDOWS\system32\drivers\4_stars.gif
E:\WINDOWS\system32\drivers\5_stars.gif
E:\WINDOWS\system32\drivers\alert_icon.gif
E:\WINDOWS\system32\drivers\arrow.gif
E:\WINDOWS\system32\drivers\asc3550p.sys
E:\WINDOWS\system32\drivers\buy_btn.gif
E:\WINDOWS\system32\drivers\close_icon.gif
E:\WINDOWS\system32\drivers\core.cache.dsk
E:\WINDOWS\system32\drivers\core.sys
E:\WINDOWS\system32\drivers\detect.htm
E:\WINDOWS\system32\drivers\download_btn.gif
E:\WINDOWS\system32\drivers\features.gif
E:\WINDOWS\system32\drivers\header_bg.gif
E:\WINDOWS\system32\drivers\icon_warning.gif
E:\WINDOWS\system32\drivers\Iwxa69.sys
E:\WINDOWS\system32\drivers\logo_bg.gif
E:\WINDOWS\system32\drivers\perfect_cleaner_box.jpg
E:\WINDOWS\system32\drivers\perfect_cleaner_box_small.jpg
E:\WINDOWS\system32\drivers\perfect_cleaner_header.gif
E:\WINDOWS\system32\drivers\perfect_cleaner_header_small.gif
E:\WINDOWS\system32\drivers\protect.gif
E:\WINDOWS\system32\drivers\pt.htm
E:\WINDOWS\system32\drivers\s_detect.htm
E:\WINDOWS\system32\drivers\secuity_center_logo.gif
E:\WINDOWS\system32\drivers\sfsync02.sys
E:\WINDOWS\system32\drivers\spy_away_box.jpg
E:\WINDOWS\system32\drivers\spy_away_box_small.jpg
E:\WINDOWS\system32\drivers\spy_away_header.gif
E:\WINDOWS\system32\drivers\spy_away_header_small.gif
E:\WINDOWS\system32\drivers\symavc32.sys
E:\WINDOWS\system32\drivers\users_rating.gif
E:\WINDOWS\system32\drivers\v.gif
E:\WINDOWS\system32\drivers\x.gif
E:\WINDOWS\system32\drvfarr.dll
E:\WINDOWS\system32\dwdsrngt.exe
E:\WINDOWS\system32\e2
E:\WINDOWS\system32\e2\caws83122.exe
E:\WINDOWS\system32\g1
E:\WINDOWS\system32\hrmfovhw.exe
E:\WINDOWS\system32\i8
E:\WINDOWS\system32\i8\taldrvr11.exe
E:\WINDOWS\system32\igotsovh.dllbox
E:\WINDOWS\system32\kaioesw.dll
E:\WINDOWS\system32\kernelwind32.exe
E:\WINDOWS\system32\ldcore.dll
E:\WINDOWS\system32\ldinfo.ldr
E:\WINDOWS\system32\max1d11643v.exe
E:\WINDOWS\system32\mhooucib.dll
E:\WINDOWS\system32\msnav32.ax
E:\WINDOWS\system32\newmaxxsv234.exe
E:\WINDOWS\system32\pac.txt
E:\WINDOWS\system32\rtnka.dat
E:\WINDOWS\system32\rtnka.dll
E:\WINDOWS\system32\RunOnce3.tmp
E:\WINDOWS\system32\SoUI.dll
E:\WINDOWS\system32\svfgnfny.exe
E:\WINDOWS\system32\ttvwa.bak1
E:\WINDOWS\system32\ttvwa.bak2
E:\WINDOWS\system32\ttvwa.ini
E:\WINDOWS\system32\vedxg4am1et2.exe
E:\WINDOWS\system32\vedxg6ame4.exe
E:\WINDOWS\system32\vedxga1me4t1.exe
E:\WINDOWS\system32\vedxga4me1.exe
E:\WINDOWS\system32\vedxga5me3.exe
E:\WINDOWS\system32\winpfz32.sys
E:\WINDOWS\system32\winrkp32.dll
E:\WINDOWS\system32\x22
E:\WINDOWS\system32\x22\c124wvr.exe
E:\WINDOWS\system32\zxdnt3d.cfg
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\TTC-4444.exe
E:\WINDOWS\uninstall_nmon.vbs
E:\WINDOWS\winh32.exe
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_ASC3550P
-------\LEGACY_ASPIMGR
-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_DRIVER
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SFSYNC02
-------\asc3550p
-------\cmdService
-------\DomainService
-------\nm
-------\sfsync02
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.
2007-11-03 21:45 51,200 --a------ E:\WINDOWS\NirCmd.exe
2007-11-03 21:35 396,288 --a------ E:\HijackThis.exe
2007-11-03 19:00 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 13:17 <DIR> d-------- E:\Program Files\Common Files\Symantec Shared
2007-10-31 13:06 1,290 --a------ E:\WINDOWS\system32\tmp.reg
2007-10-31 13:04 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2007-10-31 13:04 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-10-31 13:04 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-10-31 13:04 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-10-31 13:04 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe
2007-10-31 13:00 3,144 --a------ E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-30 23:20 <DIR> d-------- E:\Program Files\microsoft frontpage
2007-10-30 18:13 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 17:45 <DIR> d-------- E:\WINDOWS\system32\fkmdvbtn
2007-10-30 17:45 104,960 --a------ E:\WINDOWS\system32\drvfar.dll
2007-10-30 17:45 35,840 --a------ E:\WINDOWS\system32\opnnnmm.dll
2007-10-30 17:43 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 17:36 57,368 --a------ E:\WINDOWS\system32\dsrng.exe
2007-10-30 17:36 7,680 --a------ E:\WINDOWS\system32\winter.exe
2007-10-30 17:00 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 14:14 <DIR> d-------- E:\WINDOWS\system32\ehgvjcfi
2007-10-30 14:14 10,240 --a------ E:\WINDOWS\system32\npdl.exe
2007-10-30 14:12 <DIR> d-------- E:\WINDOWS\system32\svcd
2007-10-30 13:50 196,681 --a------ E:\WINDOWS\system32\mwinndq.exe
2007-10-30 13:48 <DIR> d-------- E:\WINDOWS\system32\Mz12r
2007-10-30 13:35 340,032 --a------ E:\WINDOWS\system32\igotsovh.dll
2007-10-30 13:34 340,032 --a------ E:\WINDOWS\system32\xgmnoltx.dll
2007-10-30 12:37 <DIR> d-------- E:\WINDOWS\system32\acespy
2007-10-30 12:16 <DIR> d-------- E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-30 12:16 552,960 --a------ E:\WINDOWS\system32\GE.dll
2007-10-30 12:16 131,588 --a------ E:\WINDOWS\system32\qiawpbjj.exe
2007-10-30 12:16 21,504 --a------ E:\WINDOWS\system32\qiawpbjj.dll
2007-10-30 08:06 12,800 --a------ E:\WINDOWS\system32\bronto.dll
2007-10-30 08:06 7,680 --a------ E:\WINDOWS\system32\proper.exe
2007-10-30 08:06 6,144 --a------ E:\WINDOWS\system32\skuns.dat
2007-10-30 01:31 34,816 --a------ E:\WINDOWS\system32\rqrpnoo.dll
2007-10-30 01:30 34,816 --a------ E:\WINDOWS\system32\xxyywut.dll
2007-10-30 01:28 34,816 --a------ E:\WINDOWS\system32\hgghiij.dll
2007-10-30 01:27 <DIR> d-------- E:\WINDOWS\system32\Mz02r
2007-10-30 01:27 <DIR> d--hs---- E:\WINDOWS\RXZhbiBMb3ZlbHk
2007-10-30 01:27 294,668 --a------ E:\WINDOWS\frexup2.exe
2007-10-30 01:27 34,816 --a------ E:\WINDOWS\system32\yayxyxy.dll
2007-10-30 01:27 13,824 --a------ E:\WINDOWS\plite731.exe
2007-10-30 01:27 41 --a------ E:\WINDOWS\plite731_uninstaller_.bat
2007-10-23 00:22 <DIR> d-------- E:\Temp
2007-10-22 22:42 24,616 --ah----- E:\WINDOWS\system32\mlfcache.dat
2007-10-22 22:40 <DIR> d-------- E:\Program Files\mIRC
2007-10-22 08:45 <DIR> d-------- E:\Program Files\Activision
2007-10-22 08:36 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-10-22 08:34 <DIR> d-------- E:\Program Files\MagicDisc
2007-10-22 08:34 92,544 --a------ E:\WINDOWS\system32\drivers\mcdbus.sys
2007-10-09 12:10 442,368 -ra------ E:\WINDOWS\system32\vp6vfw.dll
2007-10-07 16:00 <DIR> d-------- E:\Program Files\WinUHA
2007-10-04 15:20 <DIR> d-------- E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 12:46 516,096 --------- E:\WINDOWS\system32\ati2sgag.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-04 20:12 --------- d-----w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17 --------- d-----w E:\Program Files\Common Files\Adobe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34 --------- d-----w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39 --------- d-----w E:\Program Files\Microsoft Games
2007-09-26 04:25 --------- d-----w E:\Program Files\iTunes
2007-09-26 04:25 --------- d-----w E:\Program Files\iPod
2007-09-15 13:39 --------- d-----w E:\Program Files\Apple Software Update
2005-07-29 21:24:26 472 --sha-r E:\WINDOWS\RXZhbiBMb3ZlbHk\lrt1v21gvat5vJ4.vbs
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
2007-10-30 17:43 21504 --a------ E:\WINDOWS\system32\qiawpbjj.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DBC8C01-05C0-452B-58BE-CE96FE520B72}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
E:\Program Files\Nodrqkjo\iejnsqru.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37C39123-5ED3-472E-90C5-5A960BB4F182}]
E:\Program Files\Internet Explorer\horeforec83122.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{51641ef3-8a7a-4d84-8659-b0911e947cc8}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D32219E-1571-40C9-9E64-2E0DEF408469}]
E:\Program Files\Internet Explorer\horeforec4444.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE7F116-2E51-440D-BABB-9E7CCAEC881F}]
E:\Program Files\Internet Explorer\horeforec555077.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
2007-10-30 01:27 34816 --a------ E:\WINDOWS\system32\yayxyxy.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-10-30 13:35 340032 --a------ E:\WINDOWS\system32\igotsovh.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D27987B8-7244-4DE0-AE10-39B826B492F1}]
2007-10-30 08:06 12800 --a------ E:\WINDOWS\system32\bronto.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
E:\Program Files\E404 Helper\e404.v1.dll
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= E:\WINDOWS\system32\igotsovh.dll [2007-10-30 13:35 340032]
[HKEY_CLASSES_ROOT\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2004-08-04 02:56]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="E:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecu teHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"= E:\WINDOWS\system32\yayxyxy.dll [2007-10-30 01:27 34816]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll 2007-10-30 13:35 340032 E:\WINDOWS\system32\igotsovh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyxy]
yayxyxy.dll 2007-10-30 01:27 34816 E:\WINDOWS\system32\yayxyxy.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007BCA1]
E:\WINDOWS\system32\__c007BCA1.dat
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 E:\WINDOWS\system32\awvtt.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Administrator^Start Menu^Programs^Startup^infos.exe]
path=E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
backup=E:\WINDOWS\pss\infos.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
backup=E:\WINDOWS\pss\autos.exeCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^infos.exe]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
backup=E:\WINDOWS\pss\infos.exeStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^TA_Start.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
backup=E:\WINDOWS\pss\TA_Start.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F17CB8D8.exe]
E:\DOCUME~1\Freshly\LOCALS~1\Temp\_A00F17CB8D8.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
E:\WINDOWS\TEMP\win41.tmp.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
rundll32.exe "E:\WINDOWS\system32\__c00AD202.dat",realset
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
C:\Program Files\BraveSentry\BraveSentry.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe E:\WINDOWS\system32\drvfar.dll,startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epyvqdqp]
rundll32.exe "E:\Program Files\epyvqdqp\wfslopkv.dll",Init
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f8075fe6]
rundll32.exe "E:\WINDOWS\system32\mhooucib.dll",b
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
"E:\Program Files\ISM2\ISMPack6.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mdqpituh]
regsvr32 /u "E:\Documents and Settings\All Users\Application Data\mdqpituh.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
E:\WINDOWS\noskrnl.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
E:\WINDOWS\plite731.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
E:\WINDOWS\tsitra1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sc]
E:\Program Files\All-In-One Spy\run.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
E:\WINDOWS\system32\vedxg6ame4.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShareSearcher]
c:\wsusupd.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tydwvmxi]
regsvr32 /u "E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\winter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
E:\Program Files\Web Buying\v1.8.5\webbuying.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
E:\Program Files\WinAble\winable.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
C:\Windows\xpupdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{75-5F-F4-49-ZN}]
e:\windows\system32\dsrng.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TUWinStylerThemeSvc"=2 (0x2)
"SandraTheSrv"=3 (0x3)
"SandraDataSrv"=3 (0x3)
"RKKW"=2 (0x2)
"ose"=3 (0x3)
"Microsoft Internet Service"=2 (0x2)
"MacFormatService"=2 (0x2)
"lsass"=2 (0x2)
"iPod Service"=3 (0x3)
"IDriverT"=3 (0x3)
"FAH@E:+Program Files+Folding+FAH504-Console.exe"=2 (0x2)
"FAH@D:+FAH504-Console.exe"=2 (0x2)
"DomainService"=2 (0x2)
"cmdService"=2 (0x2)
"ATI Smart"=2 (0x2)
"Ati HotKey Poller"=2 (0x2)
"aspimgr"=2 (0x2)
"Apple Mobile Device"=2 (0x2)
"Adobe LM Service"=3 (0x3)
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe
R0 MacOpen;MacOpen;E:\WINDOWS\system32\drivers\MacOpen.sys
R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;E:\WINDOWS\system32\drivers\si3112r.sys
R0 SiWinAcc;SiWinAcc;E:\WINDOWS\system32\drivers\SiWinAcc.sys
R3 Tetris;Tetris driver;E:\WINDOWS\system32\Drivers\Tetris.sys
S1 atitray;atitray;\??\E:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
S2 aic78x5;aic78x5;E:\WINDOWS\system32\drivers\aic78x5.sys
S2 ithsgt;ithsgt;E:\WINDOWS\system32\DRIVERS\ithsgt.sys
S2 lilsgt;lilsgt;E:\WINDOWS\system32\DRIVERS\lilsgt.sys
S2 PfDetNT;PfDetNT;\??\E:\WINDOWS\system32\drivers\PfModNT.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\E:\WINDOWS\System32\DRIVERS\ASPI32.sys
S3 EraserUtilDrv10733;EraserUtilDrv10733;\??\E:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10733.sys
S3 jbridgep;jbridgep;\??\E:\DOCUME~1\Evan\LOCALS~1\Temp\jbridgep.sys
S4 FAH@D:+FAH504-Console.exe;FAH@D:+FAH504-Console.exe;D:\FAH504-Console.exe -svcstart
S4 FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe;FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe;E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart
S4 FAH@E:+Program Files+Folding+FAH504-Console.exe;FAH@E:+Program Files+Folding+FAH504-Console.exe;E:\Program Files\Folding\FAH504-Console.exe -svcstart
S4 lsass;Local Security Authority Subsystem Service;"E:\WINDOWS\winlogon.exe"
S4 Microsoft Internet Service;Microsoft Internet Service;E:\WINDOWS\system32\_svchost.exe -A
S4 RKKW;Security Service;E:\WINDOWS\system32\svcd\svchost.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\D]
\Shell\AutoRun\command - D:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\G]
\Shell\AutoRun\command - G:\OblivionLauncher.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\H]
\Shell\AutoRun\command - H:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\J]
\Shell\AutoRun\command - J:\Setup\rsrc\autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-03 21:53:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 2007-11-03 21:54:14 - machine was rebooted
.
--- E O F ---
Oops, apparently I forgot to grab the updated HijackThis log. I'll go grab and paste it in a second (have to run upstairs).
However, I did try out normal mode on both of my accounts to no avail, it generally hung up. I couldn't ctrl+alt+delete in one and things were typically failing to load. Be back with the log.
ArbysOvenMitt
4 Nov 2007, 02:23am
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:04 PM, on 11/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\Explorer.EXE
E:\HijackThis\HijackThis.exe
O2 - BHO: qiawpbjj.msdn_hlp - {026B5895-3E8E-49A9-8EEE-B52A326DA962} - E:\WINDOWS\system32\qiawpbjj.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O2 - BHO: (no name) - {820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04} - E:\WINDOWS\system32\yayxyxy.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - E:\WINDOWS\system32\igotsovh.dll
O2 - BHO: (no name) - {D27987B8-7244-4DE0-AE10-39B826B492F1} - E:\WINDOWS\system32\bronto.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - E:\WINDOWS\system32\igotsovh.dll
O4 - HKLM\..\Run: [MSConfig] E:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [ctfmon.exe] E:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O20 - Winlogon Notify: igotsovh - E:\WINDOWS\SYSTEM32\igotsovh.dll
O20 - Winlogon Notify: yayxyxy - E:\WINDOWS\SYSTEM32\yayxyxy.dll
O20 - Winlogon Notify: __c007BCA1 - E:\WINDOWS\system32\__c007BCA1.dat (file missing)
O21 - SSODL: VzBAB - {F8075F4A-52AD-F5E0-7426-BEB4C599B277} - (no file)
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
--
End of file - 3152 bytes
Hi,
Step 1
You should print out these instructions, or copy them to a NotePad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site.
Next, please reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.Once in Safe Mode, double-click on SmitfraudFix.exe
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.
The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".
The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt
Warning : running option #2 on a non infected computer will remove your Desktop background.
Step 2
Open notepad and copy/paste the text in the quotebox below into it:
Driver::
lsass
Microsoft Internet Service
RKKW
File::
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\frexup2.exe
E:\WINDOWS\system32\yayxyxy.dll
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\system32\mlfcache.dat
E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
E:\WINDOWS\pss\infos.exe
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
E:\WINDOWS\pss\autos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
E:\WINDOWS\pss\infos.exeStartup
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
E:\WINDOWS\pss\TA_Start.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\pss\Think-Adz.lnk
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\mwinndq.exe
E:\Documents and Settings\All Users\Application Data\mdqpituh.dll
E:\WINDOWS\noskrnl.exe
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\system32\vedxg6ame4.exe
c:\wsusupd.exe
E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll
C:\Windows\xpupdate.exe
E:\WINDOWS\system32\_svchost.exe
E:\WINDOWS\winlogon.exe
E:\WINDOWS\system32\_svchost.exe
Folder::
E:\WINDOWS\system32\fkmdvbtn
E:\WINDOWS\system32\ehgvjcfi
E:\WINDOWS\system32\acespy
E:\WINDOWS\system32\svcd
E:\WINDOWS\RXZhbiBMb3ZlbHk
E:\WINDOWS\system32\Mz12r
E:\WINDOWS\system32\Mz02r
E:\Program Files\Nodrqkjo
E:\Program Files\E404 Helper
C:\Program Files\BraveSentry
E:\Program Files\epyvqdqp
E:\Program Files\ISM2
E:\Program Files\All-In-One Spy
E:\Program Files\Web Buying
E:\Program Files\WinAble
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{00000000-d9e3-4bc6-a0bd-3d0ca4be5271}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{026B5895-3E8E-49A9-8EEE-B52A326DA962}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{029e02f0-a0e5-4b19-b958-7bf2db29fb13}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0DBC8C01-05C0-452B-58BE-CE96FE520B72}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A8C2C57-93A7-0675-5A40-098909C6F6CC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d7cb618-cc1c-4126-a7e3-f5b12d3bcf71}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{37C39123-5ED3-472E-90C5-5A960BB4F182}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54645654-2225-4455-44A1-9F4543D34546}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5D32219E-1571-40C9-9E64-2E0DEF408469}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{669695bc-a811-4a9d-8cdf-ba8c795f261e}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6abc861a-31e7-4d91-b43b-d3c98f22a5c0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6AE7F116-2E51-440D-BABB-9E7CCAEC881F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a4a435cf-3583-11d4-91bd-0048546a1450}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{b8875bfe-b021-11d4-bfa8-00508b8e9bd3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c2680e10-1655-4a0e-87f8-4259325a84b7}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{c4ca6559-2cf1-48b6-96b2-8340a06fd129}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ca1d1b05-9c66-11d5-a009-000103c1e50b}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d8efadf1-9009-11d6-8c73-608c5dc19089}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9147a0a-a866-4214-b47c-da821891240f}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e9306072-417e-43e3-81d5-369490beef7c}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F10587E9-0E47-4CBE-84AE-7DD20B8684BB}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\ShellExecuteHooks]
"{820A2C8D-DFC0-4A9F-B3CA-4410CA4F7C04}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayxyxy]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\__c007BCA1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Administrator^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^autos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^infos.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^TA_Start.lnk]
[-KEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\A00F17CB8D8.exe]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BootService]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Brave-Sentry]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epyvqdqp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f8075fe6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISMPack6]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mdqpituh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\noskrnl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\plite731]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sc]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Service Pack 1]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShareSearcher]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\tydwvmxi]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WebBuying]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinAble]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows update loader]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{75-5F-F4-49-ZN}]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"RKKW"=-
"ose"=-
"Microsoft Internet Service"=-
"lsass"=-
"DomainService"=-
"cmdService"=-
"aspimgr"=-Save this as "CFScript"
Then drag the CFScript into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/CFScript.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Step 3
Try again boot your computer to normal mode and tell me how it working.
And please post a fresh HijackThis log, SmitfraudFix log and ComboFix log.
ArbysOvenMitt
4 Nov 2007, 08:27pm
Here's the logs I got. Unfortunately, I can't seem to get Smitfraudfix to run any more. It restarts my computer but never actually runs. Also, normal mode remains unchanged, regardless of all the progress.
ComboFix 07-11-01.1 - Administrator 2007-11-04 16:01:07.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.827 [GMT -5:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Administrator\Desktop\CFScript.txt
FILE::
C:\Windows\xpupdate.exe
c:\wsusupd.exe
E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\All Users\Application Data\mdqpituh.dll
E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\frexup2.exe
E:\WINDOWS\noskrnl.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\autos.exe
E:\WINDOWS\pss\infos.exe
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\pss\TA_Start.lnk
E:\WINDOWS\pss\Think-Adz.lnk
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\_svchost.exe
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\vedxg6ame4.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\wsusupd.exe
E:\WINDOWS\frexup2.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\RXZhbiBMb3ZlbHk
E:\WINDOWS\RXZhbiBMb3ZlbHk\lrt1v21gvat5vJ4.vbs
E:\WINDOWS\system32\acespy
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\ehgvjcfi
E:\WINDOWS\system32\ehgvjcfi\bg1.gif
E:\WINDOWS\system32\ehgvjcfi\bgtop.gif
E:\WINDOWS\system32\ehgvjcfi\bottom1.gif
E:\WINDOWS\system32\ehgvjcfi\essentials.gif
E:\WINDOWS\system32\ehgvjcfi\icon1.ico
E:\WINDOWS\system32\ehgvjcfi\install1.gif
E:\WINDOWS\system32\ehgvjcfi\left1.gif
E:\WINDOWS\system32\ehgvjcfi\li.gif
E:\WINDOWS\system32\ehgvjcfi\logo.gif
E:\WINDOWS\system32\ehgvjcfi\main.htm
E:\WINDOWS\system32\ehgvjcfi\mainframe.htm
E:\WINDOWS\system32\ehgvjcfi\reinstall1.gif
E:\WINDOWS\system32\ehgvjcfi\right1.gif
E:\WINDOWS\system32\ehgvjcfi\s1.htm
E:\WINDOWS\system32\ehgvjcfi\s2.htm
E:\WINDOWS\system32\ehgvjcfi\s3.htm
E:\WINDOWS\system32\ehgvjcfi\SMTop1.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop2.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop3.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop4.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_off.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_on.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_off.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_on.gif
E:\WINDOWS\system32\ehgvjcfi\top1.gif
E:\WINDOWS\system32\ehgvjcfi\top2.gif
E:\WINDOWS\system32\ehgvjcfi\turnoff1.gif
E:\WINDOWS\system32\ehgvjcfi\turnon1.gif
E:\WINDOWS\system32\fkmdvbtn
E:\WINDOWS\system32\fkmdvbtn\bg1.gif
E:\WINDOWS\system32\fkmdvbtn\bgtop.gif
E:\WINDOWS\system32\fkmdvbtn\bottom1.gif
E:\WINDOWS\system32\fkmdvbtn\essentials.gif
E:\WINDOWS\system32\fkmdvbtn\icon1.ico
E:\WINDOWS\system32\fkmdvbtn\install1.gif
E:\WINDOWS\system32\fkmdvbtn\left1.gif
E:\WINDOWS\system32\fkmdvbtn\li.gif
E:\WINDOWS\system32\fkmdvbtn\logo.gif
E:\WINDOWS\system32\fkmdvbtn\main.htm
E:\WINDOWS\system32\fkmdvbtn\mainframe.htm
E:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
E:\WINDOWS\system32\fkmdvbtn\right1.gif
E:\WINDOWS\system32\fkmdvbtn\s1.htm
E:\WINDOWS\system32\fkmdvbtn\s2.htm
E:\WINDOWS\system32\fkmdvbtn\s3.htm
E:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
E:\WINDOWS\system32\fkmdvbtn\top1.gif
E:\WINDOWS\system32\fkmdvbtn\top2.gif
E:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
E:\WINDOWS\system32\fkmdvbtn\turnon1.gif
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\igotsovh.dllbox
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\Mz02r
E:\WINDOWS\system32\Mz02r\Mz02r1065.exe
E:\WINDOWS\system32\Mz12r
E:\WINDOWS\system32\Mz12r\Mz12r2215.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\svcd
E:\WINDOWS\system32\svcd\svchost.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_LSASS
-------\LEGACY_MICROSOFT_INTERNET_SERVICE
-------\LEGACY_RKKW
-------\lsass
-------\Microsoft Internet Service
-------\RKKW
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.
2007-11-04 15:24 <DIR> d-------- E:\WINDOWS\LastGood.Tmp
2007-11-03 21:55 <DIR> d-------- E:\HijackThis
2007-11-03 21:45 51,200 --a------ E:\WINDOWS\NirCmd.exe
2007-11-03 19:00 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 13:17 <DIR> d-------- E:\Program Files\Common Files\Symantec Shared
2007-10-31 13:06 1,194 --a------ E:\WINDOWS\system32\tmp.reg
2007-10-31 13:04 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2007-10-31 13:04 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-10-31 13:04 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-10-31 13:04 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-10-31 13:04 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe
2007-10-31 13:00 3,144 --a------ E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-30 23:20 <DIR> d-------- E:\Program Files\microsoft frontpage
2007-10-30 18:13 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 17:43 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 17:00 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 12:16 <DIR> d-------- E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-23 00:22 <DIR> d-------- E:\Temp
2007-10-22 22:40 <DIR> d-------- E:\Program Files\mIRC
2007-10-22 08:45 <DIR> d-------- E:\Program Files\Activision
2007-10-22 08:36 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-10-22 08:34 <DIR> d-------- E:\Program Files\MagicDisc
2007-10-22 08:34 92,544 --a------ E:\WINDOWS\system32\drivers\mcdbus.sys
2007-10-09 12:10 442,368 -ra------ E:\WINDOWS\system32\vp6vfw.dll
2007-10-07 16:00 <DIR> d-------- E:\Program Files\WinUHA
2007-10-04 15:20 <DIR> d-------- E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 12:46 516,096 --------- E:\WINDOWS\system32\ati2sgag.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-04 20:12 --------- d-----w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17 --------- d-----w E:\Program Files\Common Files\Adobe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34 --------- d-----w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39 --------- d-----w E:\Program Files\Microsoft Games
2007-09-26 04:25 --------- d-----w E:\Program Files\iTunes
2007-09-26 04:25 --------- d-----w E:\Program Files\iPod
2007-09-15 13:39 --------- d-----w E:\Program Files\Apple Software Update
.
((((((((((((((((((((((((((((( snapshot@2007-11-03_21.53.51.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-02-25 00:35:06 14,048 ----a-w E:\WINDOWS\system32\spmsg.dll
+ 2005-05-03 17:58:20 13,536 ------w E:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2003-10-06 01:57 E:\WINDOWS\system32\CTHELPER.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\winter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe
S1 atitray;atitray;\??\E:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
S2 aic78x5;aic78x5;E:\WINDOWS\system32\drivers\aic78x5.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\E:\WINDOWS\System32\DRIVERS\ASPI32.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\D]
\Shell\AutoRun\command - D:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\G]
\Shell\AutoRun\command - G:\OblivionLauncher.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\H]
\Shell\AutoRun\command - H:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\J]
\Shell\AutoRun\command - J:\Setup\rsrc\autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 16:04:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 2007-11-04 16:05:07 - machine was rebooted
E:\ComboFix2.txt ... 2007-11-04 15:54
E:\ComboFix3.txt ... 2007-11-03 21:54
.
--- E O F ---
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:17:10 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Safe mode
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\explorer.exe
E:\HijackThis\HijackThis.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\npjpi150_06.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O20 - Winlogon Notify: igotsovh - igotsovh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FAH@D:+FAH504-Console.exe - Unknown owner - D:\FAH504-Console.exe (file missing)
O23 - Service: FAH@E:+Program Files+Folding+FAH504-Console.exe - Unknown owner - E:\Program Files\Folding\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - E:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 3690 bytes
ComboFix 07-11-01.1 - Administrator 2007-11-04 16:01:07.3 - NTFSx86 MINIMAL
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.827 [GMT -5:00]
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
Command switches used :: E:\Documents and Settings\Administrator\Desktop\CFScript.txt
FILE::
C:\Windows\xpupdate.exe
c:\wsusupd.exe
E:\Documents and Settings\Administrator\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\All Users\Application Data\mdqpituh.dll
E:\Documents and Settings\All Users\Application Data\tydwvmxi.dll
E:\Documents and Settings\All Users\Start Menu\Programs\Startup\autos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\infos.exe
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\TA_Start.lnk
E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
E:\WINDOWS\frexup2.exe
E:\WINDOWS\noskrnl.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\autos.exe
E:\WINDOWS\pss\infos.exe
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\pss\TA_Start.lnk
E:\WINDOWS\pss\Think-Adz.lnk
E:\WINDOWS\system32\__c00AD202.dat
E:\WINDOWS\system32\_svchost.exe
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\vedxg6ame4.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll
E:\WINDOWS\tsitra1000106.exe
E:\WINDOWS\winlogon.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
c:\wsusupd.exe
E:\WINDOWS\frexup2.exe
E:\WINDOWS\plite731.exe
E:\WINDOWS\plite731_uninstaller_.bat
E:\WINDOWS\pss\infos.exeStartup
E:\WINDOWS\RXZhbiBMb3ZlbHk
E:\WINDOWS\RXZhbiBMb3ZlbHk\lrt1v21gvat5vJ4.vbs
E:\WINDOWS\system32\acespy
E:\WINDOWS\system32\drvfar.dll
E:\WINDOWS\system32\dsrng.exe
E:\WINDOWS\system32\ehgvjcfi
E:\WINDOWS\system32\ehgvjcfi\bg1.gif
E:\WINDOWS\system32\ehgvjcfi\bgtop.gif
E:\WINDOWS\system32\ehgvjcfi\bottom1.gif
E:\WINDOWS\system32\ehgvjcfi\essentials.gif
E:\WINDOWS\system32\ehgvjcfi\icon1.ico
E:\WINDOWS\system32\ehgvjcfi\install1.gif
E:\WINDOWS\system32\ehgvjcfi\left1.gif
E:\WINDOWS\system32\ehgvjcfi\li.gif
E:\WINDOWS\system32\ehgvjcfi\logo.gif
E:\WINDOWS\system32\ehgvjcfi\main.htm
E:\WINDOWS\system32\ehgvjcfi\mainframe.htm
E:\WINDOWS\system32\ehgvjcfi\reinstall1.gif
E:\WINDOWS\system32\ehgvjcfi\right1.gif
E:\WINDOWS\system32\ehgvjcfi\s1.htm
E:\WINDOWS\system32\ehgvjcfi\s2.htm
E:\WINDOWS\system32\ehgvjcfi\s3.htm
E:\WINDOWS\system32\ehgvjcfi\SMTop1.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop2.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop3.gif
E:\WINDOWS\system32\ehgvjcfi\SMTop4.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft1_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft2_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_off_ext.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on.gif
E:\WINDOWS\system32\ehgvjcfi\soft3_on_ext.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_off.gif
E:\WINDOWS\system32\ehgvjcfi\softbottom_on.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_off.gif
E:\WINDOWS\system32\ehgvjcfi\softleft_on.gif
E:\WINDOWS\system32\ehgvjcfi\top1.gif
E:\WINDOWS\system32\ehgvjcfi\top2.gif
E:\WINDOWS\system32\ehgvjcfi\turnoff1.gif
E:\WINDOWS\system32\ehgvjcfi\turnon1.gif
E:\WINDOWS\system32\fkmdvbtn
E:\WINDOWS\system32\fkmdvbtn\bg1.gif
E:\WINDOWS\system32\fkmdvbtn\bgtop.gif
E:\WINDOWS\system32\fkmdvbtn\bottom1.gif
E:\WINDOWS\system32\fkmdvbtn\essentials.gif
E:\WINDOWS\system32\fkmdvbtn\icon1.ico
E:\WINDOWS\system32\fkmdvbtn\install1.gif
E:\WINDOWS\system32\fkmdvbtn\left1.gif
E:\WINDOWS\system32\fkmdvbtn\li.gif
E:\WINDOWS\system32\fkmdvbtn\logo.gif
E:\WINDOWS\system32\fkmdvbtn\main.htm
E:\WINDOWS\system32\fkmdvbtn\mainframe.htm
E:\WINDOWS\system32\fkmdvbtn\reinstall1.gif
E:\WINDOWS\system32\fkmdvbtn\right1.gif
E:\WINDOWS\system32\fkmdvbtn\s1.htm
E:\WINDOWS\system32\fkmdvbtn\s2.htm
E:\WINDOWS\system32\fkmdvbtn\s3.htm
E:\WINDOWS\system32\fkmdvbtn\SMTop1.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop2.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop3.gif
E:\WINDOWS\system32\fkmdvbtn\SMTop4.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft1_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft2_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_off_ext.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on.gif
E:\WINDOWS\system32\fkmdvbtn\soft3_on_ext.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_off.gif
E:\WINDOWS\system32\fkmdvbtn\softbottom_on.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_off.gif
E:\WINDOWS\system32\fkmdvbtn\softleft_on.gif
E:\WINDOWS\system32\fkmdvbtn\top1.gif
E:\WINDOWS\system32\fkmdvbtn\top2.gif
E:\WINDOWS\system32\fkmdvbtn\turnoff1.gif
E:\WINDOWS\system32\fkmdvbtn\turnon1.gif
E:\WINDOWS\system32\GE.dll
E:\WINDOWS\system32\hgghiij.dll
E:\WINDOWS\system32\igotsovh.dll
E:\WINDOWS\system32\igotsovh.dllbox
E:\WINDOWS\system32\mlfcache.dat
E:\WINDOWS\system32\mwinndq.exe
E:\WINDOWS\system32\Mz02r
E:\WINDOWS\system32\Mz02r\Mz02r1065.exe
E:\WINDOWS\system32\Mz12r
E:\WINDOWS\system32\Mz12r\Mz12r2215.exe
E:\WINDOWS\system32\npdl.exe
E:\WINDOWS\system32\opnnnmm.dll
E:\WINDOWS\system32\qiawpbjj.dll
E:\WINDOWS\system32\qiawpbjj.exe
E:\WINDOWS\system32\rqrpnoo.dll
E:\WINDOWS\system32\svcd
E:\WINDOWS\system32\svcd\svchost.exe
E:\WINDOWS\system32\wbem\csrss.exe
E:\WINDOWS\system32\xgmnoltx.dll
E:\WINDOWS\system32\xxyywut.dll
E:\WINDOWS\system32\yayxyxy.dll
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_LSASS
-------\LEGACY_MICROSOFT_INTERNET_SERVICE
-------\LEGACY_RKKW
-------\lsass
-------\Microsoft Internet Service
-------\RKKW
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.
2007-11-04 15:24 <DIR> d-------- E:\WINDOWS\LastGood.Tmp
2007-11-03 21:55 <DIR> d-------- E:\HijackThis
2007-11-03 21:45 51,200 --a------ E:\WINDOWS\NirCmd.exe
2007-11-03 19:00 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 13:17 <DIR> d-------- E:\Program Files\Common Files\Symantec Shared
2007-10-31 13:06 1,194 --a------ E:\WINDOWS\system32\tmp.reg
2007-10-31 13:04 289,144 --a------ E:\WINDOWS\system32\VCCLSID.exe
2007-10-31 13:04 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-10-31 13:04 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-10-31 13:04 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-10-31 13:04 25,600 --a------ E:\WINDOWS\system32\WS2Fix.exe
2007-10-31 13:00 3,144 --a------ E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-30 23:20 <DIR> d-------- E:\Program Files\microsoft frontpage
2007-10-30 18:13 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 17:43 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 17:00 <DIR> d-------- E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 12:16 <DIR> d-------- E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-23 00:22 <DIR> d-------- E:\Temp
2007-10-22 22:40 <DIR> d-------- E:\Program Files\mIRC
2007-10-22 08:45 <DIR> d-------- E:\Program Files\Activision
2007-10-22 08:36 <DIR> d--hs---- E:\WINDOWS\ftpcache
2007-10-22 08:34 <DIR> d-------- E:\Program Files\MagicDisc
2007-10-22 08:34 92,544 --a------ E:\WINDOWS\system32\drivers\mcdbus.sys
2007-10-09 12:10 442,368 -ra------ E:\WINDOWS\system32\vp6vfw.dll
2007-10-07 16:00 <DIR> d-------- E:\Program Files\WinUHA
2007-10-04 15:20 <DIR> d-------- E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 12:46 516,096 --------- E:\WINDOWS\system32\ati2sgag.exe
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-04 20:12 --------- d-----w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17 --------- d-----w E:\Program Files\Common Files\Adobe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34 --------- d-----w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39 --------- d-----w E:\Program Files\Microsoft Games
2007-09-26 04:25 --------- d-----w E:\Program Files\iTunes
2007-09-26 04:25 --------- d-----w E:\Program Files\iPod
2007-09-15 13:39 --------- d-----w E:\Program Files\Apple Software Update
.
((((((((((((((((((((((((((((( snapshot@2007-11-03_21.53.51.25 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-02-25 00:35:06 14,048 ----a-w E:\WINDOWS\system32\spmsg.dll
+ 2005-05-03 17:58:20 13,536 ------w E:\WINDOWS\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2003-10-06 01:57 E:\WINDOWS\system32\CTHELPER.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\winter.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"E:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_7 -reboot 1
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
E:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"nForce Tray Options"=sstray.exe /r
"AtiPTA"=atiptaxx.exe
S1 atitray;atitray;\??\E:\Program Files\Ray Adams\ATI Tray Tools\atitray.sys
S2 aic78x5;aic78x5;E:\WINDOWS\system32\drivers\aic78x5.sys
S3 ASPI;Advanced SCSI Programming Interface Driver;\??\E:\WINDOWS\System32\DRIVERS\ASPI32.sys
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\D]
\Shell\AutoRun\command - D:\Autorun.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\G]
\Shell\AutoRun\command - G:\OblivionLauncher.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\H]
\Shell\AutoRun\command - H:\autoplay.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\J]
\Shell\AutoRun\command - J:\Setup\rsrc\autorun.exe
\Shell\dinstall\command - J:\Directx\dxsetup.exe
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints 2\K]
\Shell\AutoRun\command - K:\LaunchU3.exe -a
.
Contents of the 'Scheduled Tasks' folder
"2007-10-27 02:10:15 E:\WINDOWS\Tasks\1-Click Maintenance.job"
"2007-09-20 03:56:46 E:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- E:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************
catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-04 16:04:28
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
"ServiceDll"="E:\WINDOWS\System32\es.dll"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@D:+FAH504-Console.exe]
"ImagePath"="D:\FAH504-Console.exe -svcstart"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Documents and Settings+Evan+Desktop+FAH504-Console.exe]
"ImagePath"="E:\Documents and Settings\Evan\Desktop\FAH504-Console.exe -svcstart"
[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\FAH@E:+Program Files+Folding+FAH504-Console.exe]
.
Completion time: 2007-11-04 16:05:07 - machine was rebooted
E:\ComboFix2.txt ... 2007-11-04 15:54
E:\ComboFix3.txt ... 2007-11-03 21:54
.
--- E O F ---
SmitFraudFix v2.247
Scan done at 16:15:03.07, Sun 11/04/2007
Run from E:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» Killing process
»»»»»»»»»»»»»»»»»»»»»»»» hosts
127.0.0.1 localhost
»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix
S!Ri's WS2Fix: LSP not Found.
»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix
GenericRenosFix by S!Ri
»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files
»»»»»»»»»»»»»»»»»»»»»»»» DNS
»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning
Registry Cleaning done.
»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» End
ArbysOvenMitt
4 Nov 2007, 08:34pm
Well after a long delay my computer finally loaded into normal mode. Internet wasn't working (couldn't find adapters), New Hardware Found kept popping up to install an 'Unknown' device, and when I attempted to install Norton 2008 I got the BSOD as it was scanning before the installation.
Hi,
Now you can opening you computer into normal mode, so please scanning HijackThis and ComboFix in normal mode and post the logs :)
ArbysOvenMitt
4 Nov 2007, 10:08pm
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:02:30 PM, on 11/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\csrss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\savedump.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\svchost.exe
C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\Ati2evxx.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\taskmgr.exe
E:\HijackThis\HijackThis.exe
E:\Program Files\MacOpener\FORMATM.EXE
E:\WINDOWS\System32\msiexec.exe
E:\WINDOWS\system32\wdfmgr.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\System32\imapi.exe
E:\WINDOWS\System32\wbem\wmiprvse.exe
E:\WINDOWS\system32\rundll32.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - E:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PacificPoker - {94EDF7B4-4272-4af3-8F8B-4E2F68E225B7} - E:\PROGRA~1\PACIFI~1\pacificpoker.exe (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - E:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe (file missing)
O15 - ProtocolDefaults: '@ivt' protocol is in My Computer Zone, should be Intranet Zone
O15 - ProtocolDefaults: 'file' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'ftp' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'https' protocol is in My Computer Zone, should be Internet Zone
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1127266059866
O20 - Winlogon Notify: igotsovh - igotsovh.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - E:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - E:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - E:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - E:\WINDOWS\system32\ati2sgag.exe
O23 - Service: FAH@D:+FAH504-Console.exe - Unknown owner - D:\FAH504-Console.exe (file missing)
O23 - Service: FAH@E:+Program Files+Folding+FAH504-Console.exe - Unknown owner - E:\Program Files\Folding\FAH504-Console.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - E:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MacFormatService - DataViz Inc. - E:\Program Files\MacOpener\FORMATM.EXE
O23 - Service: Sandra Data Service (SandraDataSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcDataSrv.exe
O23 - Service: Sandra Service (SandraTheSrv) - SiSoftware - E:\Program Files\SiSoftware\SiSoftware Sandra Professional 2005.SR2a\RpcSandraSrv.exe
O23 - Service: TuneUp WinStyler Theme Service (TUWinStylerThemeSvc) - TuneUp Software GmbH - C:\Program Files\TuneUp Utilities 2006\WinStylerThemeSvc.exe
--
End of file - 5039 bytes
ComboFix 07-11-01.1 - Evan 11/04/2007 18:04:34.4 - NTFSx86
Running from: E:\Documents and Settings\Administrator\Desktop\ComboFix.exe
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\#SharedObjects\P96U2CTK\www.broadcaster.com
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\#SharedObjects\P96U2CTK\www.broadcaster.com\played_list.sol
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\#SharedObjects\P96U2CTK\www.broadcaster.com\video_queue.sol
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
E:\DOCUME~1\Evan\APPLIC~1\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
E:\DOCUME~1\Evan\Desktop\Go to Casino.lnk
E:\DOCUME~1\Evan\Desktop\Live Safety Center.lnk
E:\DOCUME~1\Evan\Desktop\Online Security Guide.lnk
E:\DOCUME~1\Evan\FAVORI~1\Online Security Guide.lnk
.
((((((((((((((((((((((((( Files Created from 2007-10-04 to 2007-11-04 )))))))))))))))))))))))))))))))
.
No new files created in this timespan
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-04 21:36 --------- d-----w E:\Program Files\Common Files\Symantec Shared
2007-11-04 00:01 --------- d-----w E:\Documents and Settings\Administrator\Application Data\U3
2007-10-31 18:20 359,808 ----a-w E:\WINDOWS\system32\drivers\tcpip.sys
2007-10-31 04:20 --------- d-----w E:\Program Files\microsoft frontpage
2007-10-30 23:13 --------- d-----w E:\Documents and Settings\Administrator\Application Data\TuneUp Software
2007-10-30 22:43 --------- d-----w E:\Documents and Settings\Administrator\Application Data\Talkback
2007-10-30 22:00 --------- d-----w E:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-10-30 17:16 --------- d-----w E:\Documents and Settings\Freshly\Application Data\Lavasoft
2007-10-27 15:43 --------- d-----w E:\DOCUME~1\Evan\APPLIC~1\uTorrent
2007-10-23 05:27 --------- d-----w E:\DOCUME~1\Evan\APPLIC~1\mIRC
2007-10-23 03:49 --------- d-----w E:\Program Files\mIRC
2007-10-22 20:08 139,264 ----a-w E:\WINDOWS\War3Unin.exe
2007-10-22 14:07 --------- d--h--w E:\Program Files\InstallShield Installation Information
2007-10-22 13:45 --------- d-----w E:\Program Files\Activision
2007-10-22 13:34 --------- d-----w E:\Program Files\MagicDisc
2007-10-16 03:25 3,144 ----a-w E:\WINDOWS\system32\SProxy_tmp.dll
2007-10-07 21:00 --------- d-----w E:\Program Files\WinUHA
2007-10-04 20:20 --------- d-----w E:\Documents and Settings\Freshly\Application Data\atitray
2007-10-04 20:12 --------- d-----w E:\Program Files\Radeon Omega Drivers
2007-10-04 17:33 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.413 Uninstall.exe
2007-10-04 17:17 --------- d-----w E:\Program Files\Common Files\Adobe
2007-10-04 04:36 25,600 ----a-w E:\WINDOWS\system32\WS2Fix.exe
2007-10-02 17:48 451,072 ----a-w E:\WINDOWS\Radeon Omega Drivers v3.8.360 Uninstall.exe
2007-10-02 17:34 --------- d-----w E:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-28 19:39 --------- d-----w E:\Program Files\Microsoft Games
2007-09-26 04:25 --------- d-----w E:\Program Files\iTunes
2007-09-26 04:25 --------- d-----w E:\Program Files\iPod
2007-09-15 13:39 --------- d-----w E:\Program Files\Apple Software Update
2007-09-06 04:22 289,144 ----a-w E:\WINDOWS\system32\VCCLSID.exe
2007-09-05 05:46 92,544 ----a-w E:\WINDOWS\system32\drivers\mcdbus.sys
.
((((((((((((((((((((((((((((( snapshot@2007-11-03_21.53.51.25 )))))))))))))))))))))))))))))))))))))))))
.
+ 2004-08-04 06:14:10 73,472 ----a-w E:\WINDOWS\bck8.dat
- 2005-02-25 00:35:06 14,048 ----a-w E:\WINDOWS\system32\spmsg.dll
+ 2005-05-03 17:58:20 13,536 ------w E:\WINDOWS\system32\spmsg.dll
+ 2007-11-04 23:05:59 53,248 ----a-w E:\WINDOWS\TEMP\txsplnkcLS.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [10/06/2003 01:57 AM E:\WINDOWS\system32\CTHELPER.EXE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\igotsovh]
igotsovh.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=E:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^All Users^Start Menu^Programs^Startup^MacName.lnk]
path=E:\Documents and Settings\All Users\Start Menu\Programs\Startup\MacName.lnk
backup=E:\WINDOWS\pss\MacName.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^Folding@Home 5.03.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\Folding@Home 5.03.lnk
backup=E:\WINDOWS\pss\Folding@Home 5.03.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=E:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Evan^Start Menu^Programs^Startup^TrayIt!.lnk]
path=E:\Documents and Settings\Evan\Start Menu\Programs\Startup\TrayIt!.lnk
backup=E:\WINDOWS\pss\TrayIt!.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\E:^Documents and Settings^Freshly^Start Menu^Programs^Startup^Think-Adz.lnk]
path=E:\Documents and Settings\Freshly\Start Menu\Programs\Startup\Think-Adz.lnk
backup=E:\WINDOWS\pss\Think-Adz.lnkStartup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
"E:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AtiPTA]
atiptaxx.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\csrss]
E:\WINDOWS\system32\wbem\csrss.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
E:\WINDOWS\system32\ctfmon.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
"C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
E:\WINDOWS\system32\mwinndq.exe CHD001
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"E:\Program Files\iTunes\iTunesHelper.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MacLicense]
"E:\Program Files\MacOpener\MacLic.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PWRISOVM.EXE]
E:\Program Files\PowerISO\PWRISOVM.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QdrPack9]
"E:\Program Files\QdrPack\QdrPack9.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"E:\Program Files\QuickTime\qttask.exe" -atboottime
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SBDrvDet]
E:\Program Files\Creative\SB Drive Det\SBDrvDet.exe /r
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]
"C:\Program Files\TuneUp Utilities 2006\MemOptimizer.exe" autostart
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Undefined]
E:\WINDOWS\system32\wint