Options
The horrors of smitfraud-c!
Hey everyone
I have Smitfraud-C on my computer. I followed two online tutorials on fixing it to no results, plus I read many people's posts on how this is a complicated virus and so I should ask others for help instead of trying to get rid of it myself. So here I am
Please help me to get rid of this virus. Spybot finds 2 entries of Smitfraud-C whanever I run it, one of which it fixes (a registry key) and one of which it doesn't (a file).
The virus seems to install spyware in my computer (well anyways I get much more spyware than I'm used to getting) and when trying to run Spyware doctor my computer crashes with a blue screen.
Heres a log from HT.
THANKS in advance)
Logfile of HijackThis v1.99.1
Scan saved at 21:46:01, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer = 165.76.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: BsHEUSWBly - {4CD60C93-E67C-A639-FCD1-76967001091B} - C:\WINDOWS\system32\qid.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi115004.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
I have Smitfraud-C on my computer. I followed two online tutorials on fixing it to no results, plus I read many people's posts on how this is a complicated virus and so I should ask others for help instead of trying to get rid of it myself. So here I am
Please help me to get rid of this virus. Spybot finds 2 entries of Smitfraud-C whanever I run it, one of which it fixes (a registry key) and one of which it doesn't (a file).
The virus seems to install spyware in my computer (well anyways I get much more spyware than I'm used to getting) and when trying to run Spyware doctor my computer crashes with a blue screen.
Heres a log from HT.
THANKS in advance
)Logfile of HijackThis v1.99.1
Scan saved at 21:46:01, on 15/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Common Files\Autodesk Shared\WSCommCntr1.exe
C:\WINDOWS\system32\msiexec.exe
C:\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer = 165.76.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: BsHEUSWBly - {4CD60C93-E67C-A639-FCD1-76967001091B} - C:\WINDOWS\system32\qid.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi115004.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
0
Comments
Please download SmitfraudFix (by S!Ri)
Double-click SmitfraudFix.exe.
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.
**If the tool fails to launch from the Desktop, please move SmitfraudFix.exe directly to the root of the system drive (usually C:), and launch from there.
Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm
Please Download Deckard's System Scanner to your Desktop.
* Close all applications and windows.
* Double-click on Dss.exe to run it, and follow the prompts.
* The scan may take a minute. When the scan is complete, a text file will open - Main.txt and extra.txt
Post fresh HijackThis log , Dss Main.txt and Smitfradufix report to your next reply.:)
Here are the reports. When trying to run dss.exe for the first time I got a blue screen and the computer restarted itself. In the second try everything worked normally.
SmitFraudFix v2.168
Scan done at 20:35:29.78, Mon 04/16/2007
Run from C:\Documents and Settings\user\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is FAT32
Fix run in normal mode
»»»»»»»»»»»»»»»»»»»»»»»» Process
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
»»»»»»»»»»»»»»»»»»»»»»»» hosts
»»»»»»»»»»»»»»»»»»»»»»»» C:\
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32
»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user
»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\user\Application Data
»»»»»»»»»»»»»»»»»»»»»»»» Start Menu
»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\user\FAVORI~1
»»»»»»»»»»»»»»»»»»»»»»»» Desktop
»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files
»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys
»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!
SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll
»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_Dlls"=""
»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""
»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32
pe386 detected, use a Rootkit scanner
»»»»»»»»»»»»»»»»»»»»»»»» DNS
Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 165.76.4.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer=165.76.4.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer=165.76.4.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer=165.76.4.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer=165.76.4.2
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer=165.76.4.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer=165.76.4.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer=165.76.4.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer=165.76.4.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer=165.76.4.2
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer=165.76.4.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer=165.76.4.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer=165.76.4.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer=165.76.4.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer=165.76.4.2
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer=165.76.4.2
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=172.16.0.1
»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection
»»»»»»»»»»»»»»»»»»»»»»»» End
Deckard's System Scanner v20070411.38
Run by user on 2007-04-16 at 20:22:12
Computer is in Normal Mode.
-- System Restore
Successfully created a Deckard's System Scanner Restore Point.
-- Last 2 Restore Point(s) --
2: 2007-04-16 18:22:15 UTC - RP2 - Deckard's System Scanner Restore Point
1: 2007-04-16 18:13:18 UTC - RP1 - System Checkpoint
Performed disk cleanup.
-- HijackThis (run as user.exe)
Logfile of HijackThis v1.99.1
Scan saved at 20:22:23, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\user\Desktop\dss.exe
C:\HIJACK~1\user.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer = 165.76.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: BsHEUSWBly - {4CD60C93-E67C-A639-FCD1-76967001091B} - C:\WINDOWS\system32\qid.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi115004.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
-- HijackThis Fixed Entries (C:\HIJACK~1\backups\)
backup-20051117-151937-475 O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-151937-392 O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-151937-172 O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131465719\ee\AOLSoftware.exe
backup-20051117-151937-567 O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
backup-20051117-151937-381 O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-151939-468 O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
backup-20051117-152046-401 R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-152046-600 O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll
backup-20051117-152046-456 O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
backup-20051117-154019-776 O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20051126-010835-381 O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] C:\WINDOWS\system32\Battlefield2 .exe
backup-20051209-154742-751 O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
backup-20051209-154742-668 O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20061229-005127-523 O1 - Hosts: |a`
backup-20061229-005127-440 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-220 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-615 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-429 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-252 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-519 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-718 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-387 O1 - Hosts: ~J
backup-20061229-005127-380 O1 - Hosts: |a`
backup-20061229-005127-134 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-871 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-395 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-825 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-341 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-985 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-520 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-249 O1 - Hosts: ~J
backup-20061229-005127-328 O1 - Hosts: |a`
backup-20061229-005127-826 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-598 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-548 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-431 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-783 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-726 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-164 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-584 O1 - Hosts: ~J
backup-20061229-005127-170 O1 - Hosts: |a`
backup-20061229-005127-320 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-381 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-666 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-106 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-288 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-478 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-377 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-944 O1 - Hosts: ~J
backup-20061229-005127-245 O1 - Hosts: |a`
backup-20061229-005127-606 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-993 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-363 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-253 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-659 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-833 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-843 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-811 O1 - Hosts: ~J
backup-20061229-005127-907 O1 - Hosts: |a`
backup-20061229-005127-619 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-484 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-623 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-207 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-456 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-442 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-751 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-822 O1 - Hosts: ~J
backup-20061229-005127-875 O1 - Hosts: |a`
backup-20061229-005127-715 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-196 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-488 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-345 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-691 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-737 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-132 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-681 O1 - Hosts: ~J
backup-20061229-005127-769 O1 - Hosts: |a`
backup-20061229-005127-235 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-638 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-185 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-922 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-446 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-851 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-392 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-371 O1 - Hosts: ~J
backup-20061229-005127-100 O1 - Hosts: |a`
backup-20061229-005127-179 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-677 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-183 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-399 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-281 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-634 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-576 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-435 O1 - Hosts: ~J
backup-20061229-005127-755 O1 - Hosts: |a`
backup-20061229-005127-905 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-232 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-516 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-929 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-873 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-228 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-794 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-830 O1 - Hosts: ~J
backup-20061229-005127-948 O1 - Hosts: |a`
backup-20061229-005127-104 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-901 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-510 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-683 O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-694 O1 - Hosts: `rnpoob~J|
backup-20061229-005127-662 O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-758 O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-204 O1 - Hosts: ~J
backup-20061229-005127-335 O1 - Hosts: |a`
-- File Associations
.scr - AutoCADScriptFile - shell\open\command - "C:\WINDOWS\system32\NOTEPAD.EXE" "%1"
-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R0 sfdrv01 (StarForce Protection Environment Driver (version 1.x)) - c:\windows\system32\drivers\sfdrv01.sys
R0 sfhlp02 (StarForce Protection Helper Driver (version 2.x)) - c:\windows\system32\drivers\sfhlp02.sys
R0 sfsync04 (StarForce Protection Synchronization Driver (version 4.x)) - c:\windows\system32\drivers\sfsync04.sys
R0 sfvfs02 (StarForce Protection VFS Driver (version 2.x)) - c:\windows\system32\drivers\sfvfs02.sys
R1 ikhfile (File Security Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhfile.sys
R1 ikhlayer (Kernel Anti-Spyware Driver) - c:\windows\system32\drivers\ikhlayer.sys
R1 Klmc - c:\windows\system32\drivers\klmc.sys
R1 NetworkX - c:\windows\system32\ckldrv.sys
R1 NPPTNT2 - c:\windows\system32\npptnt2.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys
R2 irda (IrDA Protocol) - c:\windows\system32\drivers\irda.sys
R2 tmcomm - c:\windows\system32\drivers\tmcomm.sys
R2 windev-505b-34b3 - c:\windows\system32\windev-505b-34b3.sys
R3 ATIAVAIW (ATI T200 Unified AVStream service) - c:\windows\system32\drivers\atinavt2.sys
R3 GVCplDrv - c:\windows\system32\drivers\gvcpldrv.sys
R3 irsir (Microsoft Serial Infrared Driver) - c:\windows\system32\drivers\irsir.sys
R3 QCDonner (Logitech QuickCam Express(PID_0840)) - c:\windows\system32\drivers\lvcd.sys
R3 Rasirda (WAN Miniport (IrDA)) - c:\windows\system32\drivers\rasirda.sys
S3 2WIREPCP (2Wire USB) - c:\windows\system32\drivers\2wirepcp.sys
S3 dtscsi - c:\windows\system32\drivers\dtscsi.sys (file missing)
S3 EWAVE - c:\windows\system32\drivers\ew.sys (file missing)
S3 FILESPY - c:\windows\system32\drivers\filespy.sys (file missing)
S3 MPE (BDA MPE Filter) - c:\windows\system32\drivers\mpe.sys
S3 nm (Network Monitor Driver) - c:\windows\system32\drivers\nmnt.sys
S3 NSTATION - c:\windows\system32\drivers\nstation.sys (file missing)
S3 RegGuard - c:\windows\system32\drivers\regguard.sys
S3 TSP - c:\windows\system32\drivers\klif.sys
pe386 driver present
-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled
R2 Apache2 - "c:\program files\apache group\apache2\bin\apache.exe" -k runservice
R2 Autodesk Licensing Service - "c:\program files\common files\autodesk shared\service\adskscsrv.exe"
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe"
R2 Crypkey License - crypserv.exe
R2 Diskeeper - "c:\program files\diskeeper corporation\diskeeper\dkservice.exe"
R2 Irmon (Infrared Monitor) - c:\windows\system32\svchost.exe -k netsvcs
R2 kavsvc - "c:\program files\kaspersky lab\kaspersky anti-virus personal\kavsvc.exe"
R2 mi-raysat_3dsmax8 (RaySat_3dsmax8 Server) - "c:\program files\autodesk\3dsmax8\mentalray\satellite\raysat_3dsmax8server.exe"
R2 mi-raysat_3dsmax9_32 (mental ray 3.5 Satellite (32-bit)) - "c:\program files\autodesk\3ds max 9\mentalray\satellite\raysat_3dsmax9_32server.exe"
R2 MySQL - "c:\program files\mysql\mysql server 5.0\bin\mysqld-nt" --defaults-file="c:\program files\mysql\mysql server 5.0\my.ini" mysql (file missing)
S2 aspi113210 (Microsoft ASPI Manager) - c:\windows\system32\aspi115004.exe (file missing)
S2 sfrem01 (SF FrontLine Drivers Auto Removal (v1)) - c:\windows\system32\sfrem01.exe svc
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe"
S3 License Management Service ESD - "c:\program files\common files\element5 shared\service\licence manager esd.exe"
S3 Microsoft Office Groove Audit Service - "c:\program files\microsoft office\office12\grooveauditservice.exe"
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe
S3 usprserv (User Privilege Service) - c:\windows\system32\svchost.exe -k netsvcs
-- Files created between 2007-03-16 and 2007-04-16
2007-04-16 20:18:18 0 d--hs---- C:\FOUND.008
2007-04-16 20:12:39 79360 --a
C:\WINDOWS\system32\swxcacls.exe
2007-04-16 20:12:39 40960 --a
C:\WINDOWS\system32\swsc.exe
2007-04-16 20:12:39 135168 --a
C:\WINDOWS\system32\swreg.exe
2007-04-16 20:12:39 288417 --a
C:\WINDOWS\system32\SrchSTS.exe
2007-04-16 20:12:39 53248 --a
C:\WINDOWS\system32\Process.exe
2007-04-16 20:12:39 51200 --a
C:\WINDOWS\system32\dumphive.exe
2007-04-16 15:20:28 0 d--hs---- C:\FOUND.007
2007-04-16 03:33:54 0 d--hs---- C:\FOUND.006
2007-04-16 03:23:36 0 d--hs---- C:\FOUND.005
2007-04-14 20:10:32 0 d
C:\avenger
2007-04-14 19:53:01 4938 --a
C:\WINDOWS\system32\tmp.reg
2007-04-14 18:26:30 0 d--hs---- C:\FOUND.004
2007-04-14 15:11:42 0 d--hs---- C:\FOUND.003
2007-04-12 19:45:13 30592 --a
C:\WINDOWS\system32\drivers\ikhfile.sys
2007-04-12 19:45:12 51072 --a
C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-04-12 16:56:27 76560 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-12 16:36:00 0 d
C:\Documents and Settings\user\.housecall6.6<HOUSEC~1.6>
2007-04-12 15:08:30 0 d--hs---- C:\FOUND.002
2007-04-12 06:45:02 0 d--hs---- C:\FOUND.001
2007-04-11 19:46:14 0 d--hs---- C:\FOUND.000
2007-04-11 18:30:53 3 --a
C:\WINDOWS\system32\sfxzmtwbmail.dll<SFXZMT~3.DLL>
2007-04-11 18:30:53 3 --a
C:\WINDOWS\system32\sfxzmtsmtspm.dll<SFXZMT~1.DLL>
2007-04-11 18:30:53 3 --a
C:\WINDOWS\system32\sfxzmtsmt.dll<SFXZMT~2.DLL>
2007-04-11 18:30:53 3 --a
C:\WINDOWS\system32\sfxzmtforum.dll<SFXZMT~4.DLL>
2007-04-11 18:30:53 44 --a
C:\WINDOWS\system32\pfxzmtymsg.dll<PFXZMT~4.DLL>
2007-04-11 18:30:53 44 --a
C:\WINDOWS\system32\pfxzmtwbmail.dll<PF9452~1.DLL>
2007-04-11 18:30:53 3 --a
C:\WINDOWS\system32\pfxzmtsmtspm.dll<PFCA7F~1.DLL>
2007-04-11 18:30:53 3 --a
C:\WINDOWS\system32\pfxzmtsmt.dll<PFB0E0~1.DLL>
2007-04-11 18:30:53 44 --a
C:\WINDOWS\system32\pfxzmticq.dll<PFXZMT~1.DLL>
2007-04-11 18:30:53 44 --a
C:\WINDOWS\system32\pfxzmtgtal.dll<PFXZMT~3.DLL>
2007-04-11 18:30:53 44 --a
C:\WINDOWS\system32\pfxzmtforum.dll<PF5607~1.DLL>
2007-04-11 18:30:53 44 --a
C:\WINDOWS\system32\pfxzmtaim.dll<PFXZMT~2.DLL>
2007-04-11 18:30:47 1 --a
C:\WINDOWS\system32\kr_done1
2007-04-11 18:30:33 0 d
C:\WINDOWS\trace
2007-04-11 18:30:31 8704 --a
C:\WINDOWS\system32\sporder.dll
2007-04-11 18:30:17 12800 --a
C:\WINDOWS\system32\a3dxq.dll
2007-04-04 17:16:25 0 d
C:\Documents and Settings\user\Application Data\Xfire
2007-04-04 17:16:24 0 d---s---- C:\Program Files\Xfire
2007-04-02 21:31:29 0 d
C:\Documents and Settings\user\Application Data\teamspeak2<TEAMSP~1>
2007-04-02 21:31:04 0 d
C:\Program Files\Teamspeak2_RC2<TEAMSP~1>
2007-04-01 23:56:09 0 d
C:\Documents and Settings\user\Application Data\Ventrilo
2007-04-01 23:39:18 0 d
C:\Program Files\Ventrilo
2007-04-01 23:34:47 0 d
C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-04-01 04:05:34 0 d
C:\incoming
-- Find3M Report
2007-04-15 21:21:10 9601299 --a
C:\Program Files\Spybot - Search & Destroy.rar<SPYBOT~1.RAR>
2007-03-03 18:07:56 51600 --a
C:\WINDOWS\system32\RadLightMPCUninstall.exe<RADLIG~1.EXE>
2007-03-03 18:00:18 200 --a
C:\WINDOWS\AUDC70UI.dat
2007-03-02 21:51:12 0 d
C:\Program Files\Pando Networks<PANDON~1>
2007-02-27 19:48:14 98304 --a
C:\WINDOWS\system32\CmdLineExt.dll<CMDLIN~1.DLL>
2007-02-25 03:40:28 0 d
C:\Program Files\piPOol
2007-02-25 03:37:08 0 d
C:\Program Files\illiminable<ILLIMI~1>
2007-02-24 01:16:24 0 d
C:\Program Files\Soldier of Fortune II - Double Helix MP TEST<SOLDIE~1>
2007-02-18 17:59:24 0 d
C:\Documents and Settings\user\Application Data\ATI
2007-02-18 17:53:14 0 d
C:\Program Files\Common Files\ATI Technologies<ATITEC~1>
2007-02-18 17:50:34 0 d
C:\Program Files\ATI Technologies<ATITEC~1>
2007-01-30 07:03:28 200704 --a
C:\WINDOWS\system32\ssldivx.dll
2007-01-30 07:03:28 1044480 --a
C:\WINDOWS\system32\libdivx.dll
2007-01-26 10:50:22 1763 --a
C:\WINDOWS\BricoPackFoldersDelete.cmd<BRICOP~1.CMD>
2007-01-26 10:50:20 52700 --a
C:\WINDOWS\BricoPackUninst.cmd<BRICOP~2.CMD>
2007-01-26 10:50:16 218624 --a
C:\WINDOWS\system32\uxtheme.dll
2007-01-24 20:12:44 58801 --a
C:\WINDOWS\War3Unin.dat
2007-01-19 12:53:04 51056 --a
C:\WINDOWS\system32\sirenacm.dll
-- Registry Dump
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
@=""
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"="C:\\Documents and Settings\\user\\Application Data\\Mozilla\\Firefox\\Profiles\\3vomjl5r.default\\extensions\\{B13721C7-F507-4982-B2E5-502A71474FED}\\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=\"C:\\Documents and Settings\\user\\Application Data\\Mozilla\\Firefox\\Profiles/3vomjl5r.default\\extensions\\{B13721C7-F507-4982-B2E5-502A71474FED}\""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMan"="SOUNDMAN.EXE"
"2wSysTray"="C:\\Program Files\\2Wire\\Gateway\\2PortalMon.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NVRTCLK"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"PathNvidiaTV"="C:\\Program Files\\Gigabyte\\Nvidia\\patchnvidiaTVout.exe"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"NWEReboot"=""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\SOFTWARE]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\SOFTWARE\Microsoft]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\SOFTWARE\Microsoft\Windows]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\SOFTWARE\Microsoft\Windows\CurrentVersion]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\0]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\system32\\DRIVERS\\"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\1]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\TEMP\\MC21.TMP"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\2]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\system32\\DRIVERS\\"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\3]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\TEMP\\MC21.TMP"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\4]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\system32\\DRIVERS\\"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\5]
"Operation"=dword:00000001
"Target"="C:\\WINDOWS\\system32\\DRIVERS\\ "
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"spoolsvv"="C:\\WINDOWS\\system32\\spoolsvv.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Battlefield2 "
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\Battlefield2 .exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"
"BsHEUSWBly"="{4CD60C93-E67C-A639-FCD1-76967001091B}"
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\CTFMON.EXE"
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\A3dxq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
-- End of Deckard's System Scanner: finished at 2007-04-16 at 20:22:53
Scan saved at 20:38:12, on 16/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HijackThis\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer = 165.76.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O21 - SSODL: BsHEUSWBly - {4CD60C93-E67C-A639-FCD1-76967001091B} - C:\WINDOWS\system32\qid.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi115004.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: BsHEUSWBly - {4CD60C93-E67C-A639-FCD1-76967001091B} - C:\WINDOWS\system32\qid.dll (file missing)
Close ALL open windows
Click Fix Checked
Close HiajckThis
Please download killbox to your desktop
Unzip it to your desktop.
Run Killbox.exe
-> Choose Delete on Reboot
-> Click All Files option.
Copy the following lines to your clipboard (choose text with your mouse, press CTRL+C or copy)
C:\FOUND.000
C:\FOUND.001
C:\FOUND.002
C:\FOUND.003
C:\FOUND.004
C:\FOUND.005
C:\FOUND.006
C:\FOUND.007
C:\WINDOWS\system32\sfxzmtwbmail.dll
C:\WINDOWS\system32\sfxzmtsmtspm.dll
C:\WINDOWS\system32\sfxzmtsmt.dll
C:\WINDOWS\system32\sfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtymsg.dll
C:\WINDOWS\system32\pfxzmtwbmail.dll
C:\WINDOWS\system32\pfxzmtsmtspm.dll
C:\WINDOWS\system32\pfxzmtsmt.dll
C:\WINDOWS\system32\pfxzmticq.dll
C:\WINDOWS\system32\pfxzmtgtal.dll
C:\WINDOWS\system32\pfxzmtforum.dll
C:\WINDOWS\system32\pfxzmtaim.dl
C:\WINDOWS\system32\kr_done1
C:\WINDOWS\system32\a3dxq.dll
C:\WINDOWS\system32\CmdLineExt.dll
WINDOWS\Documents\Settings\winsys2f.dll
WINDOWS\Documents\Settings\winsys2f.dll
C:\WINDOWS\system32\qid.dll
Then go back to Killbox
-> go to File
-> choose Paste from Clipboard
-> Click the red-white Delete File option.
-> Click Yes to Delete on Reboot question
-> Click OK to any PendingFileRenameOperations requests (and tell me if you get any of these!)
-> Restart your computer if Killbox won't do it.
(If you get this error when running Killbox: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid.", download Missingfilessetup.exe form here to your desktop and run the file, then try running killbox ->
Please download -
rustbfix.exe and save it to your desktop.
# Double click on rustbfix.exe to run the tool.
1. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.
2. After the reboot 2 logfiles will open (%root%\avenger.txt & %root%\rustbfix\pelog.txt). If needed (still infected), post the content of these logfiles along with a new HijackThis log
Did as you told me but I'm afraid I'm still infected;
Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\vovgtmei
*******************
Fatal error: integrity of Services key failed verification check! Security may be fatally compromised. Exiting immediately.
Could not open script file! Status: 0xc0000034 Abort!
Logfile of HijackThis v1.99.1
Scan saved at 00:36:25, on 17/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\crypserv.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Apache Group\Apache2\bin\Apache.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\2Wire\Gateway\2PortalMon.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\Program Files\Logitech\Video\LogiTray.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.EXE
C:\Program Files\Spyware Doctor\sdhelp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
C:\Program Files\Logitech\Video\FxSvr2.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer = 165.76.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi115004.exe (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
THANKS for all your help so far!
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi115004.exe (file missing
Close ALL open windows
Click Fix Checked
Close HiajckThis
Please copy (Ctrl C) and paste (Ctrl V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat. Please save it on your desktop.
Double click FixServices.bat. A window will open and close. This is normal.
Please download this file - combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
=======================
Post fresh Hijackthis log, Combofix log to your next reply.
Save the file to the desktop as fix.reg
What file, exactly?
Sorry my Bad
ComboFix 07-04-18.V - Running from: C:\Documents and Settings\user\Desktop\
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\pfxzmtaim.dll
C:\Documents and Settings\All Users.WINDOWS.\documents\settings\desktop.ini
C:\WINDOWS\hosts
C:\WINDOWS\s32.txt
C:\WINDOWS\ws386.ini
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\trace
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
\nm
\LEGACY_NM
\LEGACY_NPF
\LEGACY_WINCOM32
((((((((((((((((((((((((((((((( Files Created from 2007-03-18 to 2007-04-18 ))))))))))))))))))))))))))))))))))
2007-04-17 00:30 <DIR> d
C:\avenger
2007-04-17 00:25 16 --a
C:\chdir.bat
2007-04-17 00:25 <DIR> d
C:\Rustbfix
2007-04-17 00:18 <DIR> d
C:\!KillBox
2007-04-16 20:18 <DIR> d--hs---- C:\FOUND.008
2007-04-16 20:13 <DIR> d
C:\Deckard
2007-04-16 20:12 79,360 --a
C:\WINDOWS\system32\swxcacls.exe
2007-04-16 20:12 53,248 --a
C:\WINDOWS\system32\Process.exe
2007-04-16 20:12 51,200 --a
C:\WINDOWS\system32\dumphive.exe
2007-04-16 20:12 40,960 --a
C:\WINDOWS\system32\swsc.exe
2007-04-16 20:12 288,417 --a
C:\WINDOWS\system32\SrchSTS.exe
2007-04-16 20:12 135,168 --a
C:\WINDOWS\system32\swreg.exe
2007-04-16 15:20 <DIR> d
C:\FOUND.007
2007-04-16 03:33 <DIR> d
C:\FOUND.006
2007-04-16 03:23 <DIR> d
C:\FOUND.005
2007-04-14 19:53 4,938 --a
C:\WINDOWS\system32\tmp.reg
2007-04-14 18:26 <DIR> d
C:\FOUND.004
2007-04-14 15:11 <DIR> d
C:\FOUND.003
2007-04-12 19:45 51,072 --a
C:\WINDOWS\system32\drivers\ikhlayer.sys
2007-04-12 19:45 30,592 --a
C:\WINDOWS\system32\drivers\ikhfile.sys
2007-04-12 16:56 76,560 --a
C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-12 16:36 <DIR> d
C:\DOCUME~1\user\.housecall6.6
2007-04-12 15:08 <DIR> d
C:\FOUND.002
2007-04-12 06:45 <DIR> d
C:\FOUND.001
2007-04-11 19:46 <DIR> d
C:\FOUND.000
2007-04-11 18:30 8,704 --a
C:\WINDOWS\system32\sporder.dll
2007-04-04 17:16 <DIR> d---s---- C:\Program Files\Xfire
2007-04-04 17:16 <DIR> d
C:\DOCUME~1\user\APPLIC~1\Xfire
2007-04-02 21:31 <DIR> d
C:\Program Files\Teamspeak2_RC2
2007-04-02 21:31 <DIR> d
C:\DOCUME~1\user\APPLIC~1\teamspeak2
2007-04-01 23:56 <DIR> d
C:\DOCUME~1\user\APPLIC~1\Ventrilo
2007-04-01 23:39 <DIR> d
C:\Program Files\Ventrilo
2007-04-01 23:34 <DIR> d
C:\Program Files\Common Files\Wise Installation Wizard
2007-04-01 04:05 <DIR> d
C:\incoming
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-15 21:21 9601299 --a
C:\Program Files\spybot - search & destroy.rar
2007-03-03 18:07 51600 --a
C:\WINDOWS\system32\radlightmpcuninstall.exe
2007-03-03 18:00 200 --a
C:\WINDOWS\audc70ui.dat
2007-03-02 21:51
d
C:\Program Files\pando networks
2007-02-25 03:40
d
C:\Program Files\pipool
2007-02-25 03:37
d
C:\Program Files\illiminable
2007-02-24 01:16
d
C:\Program Files\soldier of fortune ii - double helix mp test
2007-01-30 07:03 200704 --a
C:\WINDOWS\system32\ssldivx.dll
2007-01-30 07:03 1044480 --a
C:\WINDOWS\system32\libdivx.dll
2007-01-26 10:50 52700 --a
C:\WINDOWS\bricopackuninst.cmd
2007-01-26 10:50 218624 --a
C:\WINDOWS\system32\uxtheme.dll
2007-01-26 10:50 1763 --a
C:\WINDOWS\bricopackfoldersdelete.cmd
2007-01-24 20:12 58801 --a
C:\WINDOWS\war3unin.dat
2007-01-19 12:53 51056 --a
C:\WINDOWS\system32\sirenacm.dll
2007-01-02 02:40 1024 --a
C:\DOCUME~1\user\APPLIC~1\wavcodec.wff
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{38D3FE60-3D53-4F37-BB0E-C7A97A26A156} C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\PROGRA~1\SPYBOT~1\SDHelper.dll
{5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
{72853161-30C5-4D22-B7F9-0BBC1D38A37E} C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7} c:\program files\google\googletoolbar2.dll
{B56A7D7D-6927-48C8-A975-17DF180C71AC} C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"SoundMan"="SOUNDMAN.EXE"
"2wSysTray"="C:\\Program Files\\2Wire\\Gateway\\2PortalMon.exe"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"
"LogitechVideoRepair"="C:\\Program Files\\Logitech\\Video\\ISStart.exe "
"LogitechVideoTray"="C:\\Program Files\\Logitech\\Video\\LogiTray.exe"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NVRTCLK"="C:\\WINDOWS\\system32\\NVRTCLK\\NVRTClk.exe"
"PathNvidiaTV"="C:\\Program Files\\Gigabyte\\Nvidia\\patchnvidiaTVout.exe"
"DiskeeperSystray"="\"C:\\Program Files\\Diskeeper Corporation\\Diskeeper\\DkIcon.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\""
"KAVPersonal50"="\"C:\\Program Files\\Kaspersky Lab\\Kaspersky Anti-Virus Personal\\kav.exe\" /minimize"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"GrooveMonitor"="\"C:\\Program Files\\Microsoft Office\\Office12\\GrooveMonitor.exe\""
"NWEReboot"=""
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\CLIStart.exe\""
"UserFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"LogitechSoftwareUpdate"="\"C:\\Program Files\\Logitech\\Video\\ManifestEngine.exe\" boot"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
@=""
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"FFTI"="C:\\Documents and Settings\\user\\Application Data\\Mozilla\\Firefox\\Profiles\\3vomjl5r.default\\extensions\\{B13721C7-F507-4982-B2E5-502A71474FED}\\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath=\"C:\\Documents and Settings\\user\\Application Data\\Mozilla\\Firefox\\Profiles/3vomjl5r.default\\extensions\\{B13721C7-F507-4982-B2E5-502A71474FED}\""
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\0]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\system32\\DRIVERS\\"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\1]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\TEMP\\MC21.TMP"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\2]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\system32\\DRIVERS\\"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\3]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\TEMP\\MC21.TMP"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\4]
"Operation"=dword:00000001
"Target"="\\??\\C:\\WINDOWS\\system32\\DRIVERS\\"
"Source"=""
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce\ApprovedByRegRun2\AntiRepl\5]
"Operation"=dword:00000001
"Target"="C:\\WINDOWS\\system32\\DRIVERS\\ "
"Source"=""
[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"="\"C:\\Program Files\\Spyware Doctor\\swdoctor.exe\" /Q"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{553858A7-4922-4e7e-B1C1-97140C1C16EF}"="IE Component Categories cache daemon"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="Groove GFS Stub Execution Hook"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"spoolsvv"="C:\\WINDOWS\\system32\\spoolsvv.exe"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\I downloaded pirated Software from P2P]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Battlefield2 "
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\Battlefield2 .exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
backup-20070417-132758-586
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20070417-132753-981
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll (file missing)
backup-20070417-132758-929
O23 - Service: Microsoft ASPI Manager (aspi113210) - Unknown owner - C:\WINDOWS\system32\aspi115004.exe (file missing)
backup-20070417-001658-186
O21 - SSODL: BsHEUSWBly - {4CD60C93-E67C-A639-FCD1-76967001091B} - C:\WINDOWS\system32\qid.dll (file missing)
backup-20070417-001658-274
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users.WINDOWS\Documents\Settings\winsys2f.dll
backup-20070417-001658-132
O20 - Winlogon Notify: A3dxq - C:\WINDOWS\system32\a3dxq.dll
backup-20070417-001657-553
O16 - DPF: {74F5614A-8A8C-43B4-8CC2-4B4EFAF4A6C5} (TSCCInstall Class) - http://www.techsmith.com/codec/tsccinst.cab
backup-20070417-001657-516
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
backup-20070417-001657-773
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
backup-20061229-005127-335
O1 - Hosts: |a`
backup-20061229-005127-204
O1 - Hosts: ~J
backup-20061229-005127-758
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-662
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-523
O1 - Hosts: |a`
backup-20061229-005127-440
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-220
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-615
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-429
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-252
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-519
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-718
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-387
O1 - Hosts: ~J
backup-20061229-005127-380
O1 - Hosts: |a`
backup-20061229-005127-134
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-871
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-395
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-825
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-341
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-985
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-520
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-249
O1 - Hosts: ~J
backup-20061229-005127-328
O1 - Hosts: |a`
backup-20061229-005127-826
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-598
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-548
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-431
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-783
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-726
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-164
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-584
O1 - Hosts: ~J
backup-20061229-005127-170
O1 - Hosts: |a`
backup-20061229-005127-320
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-381
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-666
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-106
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-288
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-478
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-377
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-944
O1 - Hosts: ~J
backup-20061229-005127-245
O1 - Hosts: |a`
backup-20061229-005127-606
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-993
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-363
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-253
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-659
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-833
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-843
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-811
O1 - Hosts: ~J
backup-20061229-005127-907
O1 - Hosts: |a`
backup-20061229-005127-619
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-484
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-623
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-207
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-456
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-442
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-751
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-822
O1 - Hosts: ~J
backup-20061229-005127-875
O1 - Hosts: |a`
backup-20061229-005127-715
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-196
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-488
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-345
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-691
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-737
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-132
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-681
O1 - Hosts: ~J
backup-20061229-005127-769
O1 - Hosts: |a`
backup-20061229-005127-235
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-638
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-185
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-922
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-446
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-851
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-392
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-371
O1 - Hosts: ~J
backup-20061229-005127-100
O1 - Hosts: |a`
backup-20061229-005127-179
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-677
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-183
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-399
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-281
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-634
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-576
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-435
O1 - Hosts: ~J
backup-20061229-005127-755
O1 - Hosts: |a`
backup-20061229-005127-905
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-232
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-516
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-929
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-873
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-228
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o#/-0o$5-0!24n393`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-794
O1 - Hosts: ~J /-0o42%%n$!4`7!3`./4`&/5.$`/.`4()3`3%26%2n|~J|o~|o
backup-20061229-005127-830
O1 - Hosts: ~J
backup-20061229-005127-948
O1 - Hosts: |a`
backup-20061229-005127-104
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-901
O1 - Hosts: `rnpoob~J|
backup-20061229-005127-510
O1 - Hosts: ~|~J| ~tpt`/4`/5.$|o ~J|o~|~J|q~/4`/5.$|oq~J(%`2%15%34%$``o|a`
backup-20061229-005127-683
O1 - Hosts: ` `bmoo oo`
backup-20061229-005127-694
O1 - Hosts: `rnpoob~J|
backup-20051209-154742-751
O4 - HKLM\..\Run: [Media Gateway] C:\Program Files\Media Gateway\MediaGateway.exe
backup-20051209-154742-668
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20051126-010835-381
O4 - HKLM\..\Run: [I downloaded pirated Software from P2P] C:\WINDOWS\system32\Battlefield2 .exe
backup-20051117-154019-776
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
backup-20051117-152046-456
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
backup-20051117-152046-600
O2 - BHO: SABHO - {21B4ACC4-8874-4AEC-AEAC-F567A249B4D4} - c:\program files\180searchassistant\salmhook.dll
backup-20051117-152046-401
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-151939-468
O16 - DPF: {99410CDE-6F16-42ce-9D49-3807F78F0287} (ClientInstaller Class) - http://www.180searchassistant.com/180saax.cab
backup-20051117-151937-381
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-151937-172
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1131465719\ee\AOLSoftware.exe
backup-20051117-151937-392
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-151937-475
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (file missing)
backup-20051117-151937-567
O4 - HKLM\..\Run: [salm] c:\program files\180searchassistant\salm.exe
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net
scanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-18 12:21:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-18 12:21
Please backup your registry before fix it:
Start
Run
Type the following to the box and hit Ok: regedit
A window opens, click on File
Choose Export form the menu
Change the save location to C:\
Give the filename, RegBackUp
Make sure that the filetype is set to Registryfiles (*.reg)
Click on Save and Close the window
Please run Notepad and paste the following text into a new file: Save the file to the desktop as fix.reg and make sure the "Save as Type" field says "All Files".
Then please go to the desktop and double-click on fix.reg, and click Yes to merge it with the registry
Your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update to the latest version...
Updating Java:
- Download the latest version of Java Runtime Environment (JRE) 6u1 .
- Click the "Download" button to the right.
- Check the box that says: "Accept License Agreement."
- The page will refresh.
- Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
- Close any programs you may have running - especially your web browser.
- Go to Start > Control Panel double-click on Add/Remove programs and remove the following...
- J2SE Runtime Environment 5.0 Update 11
- Reboot your computer once all Java components are removed.
- Then from your desktop double-click on jre-6-windows-i586.exe to install the newest version.
Download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.
Print out these instructions or save them with notepad or Word
Your log seems to be clean. To make sure, please download AVG Anti-Spyware to your desktop. When ready, do following:
- Start AVG Anti-Spyware
- Click the Update icon
- Click Start update
- Wait until updates are downloaded
- Click the Scanner icon
- Open the Settings tab
- Make sure that under "How to act?" read Quarantine
- Under "How to scan?" all checkboxes should be ticked
- Under "Reports" select Automatically generate report after every scan
- Under "What to scan?" select Scan every file
- Click the Shield icon
- Under the "Resident shield is" click active to make it inactive
- Close AVG Anti-Spyware
Reboot to safe mode(If not, click the text and choose Quarantine)
and uncheck Only if threats were found
- If the computer is running, shut down Windows, and then turn off the power
- Wait 30 seconds, and then turn the computer on
- Start tapping the F8 key
- The Windows Advanced Options Menu appears
- Ensure that the Safe Mode option is selected
- Press Enter. The computer then begins to start in Safe mode
- Login on your usual account
Please delete these files using WindowsExplorer(ifpresent):C:\WINDOWS\system32\spoolsvv.ex e
- Close all open windows / programs / folders
- Start AVG Anti-Spyware
- Click the Scanner icon
- Click Complete System Scan
- Let the program scan the machine
- When the scan has finished, follow the instructions below
- Make sure that under "Set all elements to" read Quarantine
- Click Apply all actions
- Click Save Report
- Click Save reports as
- Save report to your Desktop
Post fresh HijackThis log , and the AVG Anti-Spyware report;)(If not, click the text and choose Quarantine)
AVG Anti-Spyware - Scan Report
+ Created at: 04:42:33 20/04/2007
+ Scan result:
:mozilla.125:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.126:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.127:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.230:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.231:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.232:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.233:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.234:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.235:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.236:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.237:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.238:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.239:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.240:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.509:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.2o7 : Cleaned.
:mozilla.109:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.148:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Adbrite : Cleaned.
:mozilla.149:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Adbrite : Cleaned.
:mozilla.150:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Adbrite : Cleaned.
:mozilla.17:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.18:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.199:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Adbrite : Cleaned.
:mozilla.19:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.20:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.848:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.849:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.109:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Advertising : Cleaned.
:mozilla.110:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Advertising : Cleaned.
:mozilla.112:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Advertising : Cleaned.
:mozilla.49:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.50:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.51:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.151:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.165:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Burstnet : Cleaned.
:mozilla.166:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Burstnet : Cleaned.
:mozilla.172:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Burstnet : Cleaned.
:mozilla.106:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.107:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.108:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.303:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Castup : Cleaned.
:mozilla.323:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Clickzs : Cleaned.
:mozilla.324:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Clickzs : Cleaned.
:mozilla.309:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Com : Cleaned.
:mozilla.102:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.900:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Etracker : Cleaned.
:mozilla.100:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Euroclick : Cleaned.
:mozilla.99:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Euroclick : Cleaned.
:mozilla.260:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Falkag : Cleaned.
:mozilla.261:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Falkag : Cleaned.
:mozilla.111:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Fastclick : Cleaned.
:mozilla.113:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Fastclick : Cleaned.
:mozilla.114:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Fastclick : Cleaned.
:mozilla.52:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.53:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.54:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.57:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.158:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.907:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.142:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.143:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.144:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.145:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.42:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.45:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.88:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.89:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
:mozilla.850:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Information : Cleaned.
:mozilla.473:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Komtrack : Cleaned.
:mozilla.159:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.196:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Overture : Cleaned.
:mozilla.117:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.142:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Paypal : Cleaned.
:mozilla.245:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Pointroll : Cleaned.
:mozilla.246:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Pointroll : Cleaned.
:mozilla.247:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Pointroll : Cleaned.
:mozilla.248:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Pointroll : Cleaned.
:mozilla.581:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Pro-market : Cleaned.
:mozilla.582:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Pro-market : Cleaned.
:mozilla.583:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Pro-market : Cleaned.
:mozilla.603:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Realmedia : Cleaned.
:mozilla.604:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Realmedia : Cleaned.
:mozilla.616:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revenue : Cleaned.
:mozilla.617:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.618:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.619:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.620:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.621:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.622:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.623:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.624:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.625:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.786:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Revsci : Cleaned.
:mozilla.292:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.644:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.645:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.646:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.647:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.648:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.939:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.940:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.941:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Smartadserver : Cleaned.
:mozilla.191:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.192:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.193:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.194:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.669:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Specificclick : Cleaned.
:mozilla.670:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Specificclick : Cleaned.
:mozilla.671:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Specificclick : Cleaned.
:mozilla.672:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Specificclick : Cleaned.
:mozilla.115:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.76:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Statcounter : Cleaned.
:mozilla.77:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Statcounter : Cleaned.
:mozilla.167:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Tacoda : Cleaned.
:mozilla.168:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Tacoda : Cleaned.
:mozilla.169:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Tacoda : Cleaned.
:mozilla.170:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Tacoda : Cleaned.
:mozilla.171:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Tacoda : Cleaned.
:mozilla.782:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Total-media : Cleaned.
:mozilla.709:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.710:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.711:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.712:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.713:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.714:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.715:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.716:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Trafic : Cleaned.
:mozilla.101:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.55:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.195:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.196:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Yadro : Cleaned.
:mozilla.174:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.175:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.176:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.177:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.178:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.179:C:\FOUND.007\FILE0010.CHK -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.43:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.44:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.45:C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
::Report end
Logfile of HijackThis v1.99.1
Scan saved at 04:43:26, on 20/04/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5296.0000)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\HijackThis\HijackThis.exe
O2 - BHO: CInterceptor Object - {38D3FE60-3D53-4F37-BB0E-C7A97A26A156} - C:\Program Files\Pando Networks\Pando\PandoIEPlugin.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [2wSysTray] C:\Program Files\2Wire\Gateway\2PortalMon.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [LogitechVideoRepair] C:\Program Files\Logitech\Video\ISStart.exe
O4 - HKLM\..\Run: [LogitechVideoTray] C:\Program Files\Logitech\Video\LogiTray.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NVRTCLK] C:\WINDOWS\system32\NVRTCLK\NVRTClk.exe
O4 - HKLM\..\Run: [PathNvidiaTV] C:\Program Files\Gigabyte\Nvidia\patchnvidiaTVout.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [KAVPersonal50] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kav.exe" /minimize
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\CLIStart.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [FFTI] C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles\3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}\ffti.exe /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /DestPath="C:\Documents and Settings\user\Application Data\Mozilla\Firefox\Profiles/3vomjl5r.default\extensions\{B13721C7-F507-4982-B2E5-502A71474FED}"
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Stardock ObjectDock.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\ObjectDock\ObjectDock.exe
O4 - Startup: UberIcon.lnk = C:\WINDOWS\BricoPacks\Vista Inspirat\UberIcon\UberIcon Manager.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Monitor Apache Servers.lnk = C:\Program Files\Apache Group\Apache2\bin\ApacheMonitor.exe
O4 - Global Startup: AutoCAD Startup Accelerator.lnk = C:\Program Files\Common Files\Autodesk Shared\acstart17.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - D:\Software\Spftware\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{52508E81-8C17-4652-A71A-2E13CBF016CA}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{6689DD5F-CB8C-43A6-9579-241529A9F044}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{8120C8A3-59D7-4033-8A6A-985B4F1EEF9E}: NameServer = 165.76.4.2
O17 - HKLM\System\CCS\Services\Tcpip\..\{A7D30D44-C037-4E3C-B0B6-487E1C7D86BF}: NameServer = 165.76.4.2
O17 - HKLM\System\CS1\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O17 - HKLM\System\CS2\Services\Tcpip\..\{1927901E-A166-49CE-8FED-E7D53C15CA90}: NameServer = 165.76.4.2
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O18 - Protocol: talkto - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apache2 - Unknown owner - C:\Program Files\Apache Group\Apache2\bin\Apache.exe" -k runservice (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Crypkey License - CrypKey (Canada) Ltd. - C:\WINDOWS\SYSTEM32\crypserv.exe
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: kavsvc - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal\kavsvc.exe
O23 - Service: License Management Service ESD - Unknown owner - C:\Program Files\Common Files\element5 Shared\Service\Licence Manager ESD.exe
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe
O23 - Service: mental ray 3.5 Satellite (32-bit) (mi-raysat_3dsmax9_32) - Unknown owner - C:\Program Files\Autodesk\3ds Max 9\mentalray\satellite\raysat_3dsmax9_32server.exe
O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: PC Tools Spyware Doctor (SDhelper) - PC Tools Research Pty Ltd - C:\Program Files\Spyware Doctor\sdhelp.exe
O23 - Service: SF FrontLine Drivers Auto Removal (v1) (sfrem01) - Protection Technology (StarForce) - C:\WINDOWS\system32\sfrem01.exe
Congratulations, your log looks clean!
Where's your firewall? You can download firewall from
Now that you are clean, please follow these simple steps in order to keep your computer clean and secure
The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klei
Happy surfing and stay clean!
Awesome service you did to me
By the way, I disabled window's firewall by your article's recommendations, but I have a router firewall on. Is it enough?
~Cyrix