Repeating Virus

ChibiBifu · June 2007

Hi to everyone at Icrontic Forums. I want to thank you in advance for reviewing my HJT log.

Every time I log onto my computer, I end up having my AntiVir Guard pop up and quarantine a few viruses only to have them pop up once again a short time later in the same session.

Logfile of HijackThis v1.99.1
Scan saved at 7:37:06 PM, on 6/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\web\aolspy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\aycjkzkyg.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Impulse\PolicyKey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Christopher\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [aycjkzkyg] C:\WINDOWS\system32\aycjkzkyg.exe
O4 - HKLM\..\RunServices: [aycjkzkyg] C:\WINDOWS\system32\aycjkzkyg.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146318712046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Print Spooler Service (iiy9ca6iayz0ue) - Unknown owner - C:\WINDOWS\system32\aycjkzkyg.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks again for reviewing my log.

peku006 · June 2007

Hi ChibiBifu and welcome to Icrontic. I'm checking your log, so please be patient.

peku006 · June 2007

Hi ChibiBifu

Please do the following...

step 1
The first thing I noticed was that you have two anti-virus programs in AVG and AntiVir PersonalEdition Classic
You should only be running one. Please uninstall one via add/remove programs, because the recommondation is 1 Anti-Virus and 1 Firewall / computer

step 2
I also noticed that you do not have HijackThis in its own folder. That is necessary in order to insure backups of the logs.
Please Right Click on the desktop and choose New>Folder and name it HJT. Then cut and paste the HijackThis.exe on your desktop into the folder.

step 3
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O4 - HKLM\..\Run: [aycjkzkyg] C:\WINDOWS\system32\aycjkzkyg.exe
O4 - HKLM\..\RunServices: [aycjkzkyg] C:\WINDOWS\system32\aycjkzkyg.exe
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html (file missing)
O23 - Service: Print Spooler Service (iiy9ca6iayz0ue) - Unknown owner - C:\WINDOWS\system32\aycjkzkyg.exe

Close ALL open windows
Click Fix Checked
Close HijackThis

step 4
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop"iiy9ca6iayz0ue"
sc delete"iiy9ca6iayz0ue"

Double click FixServices.bat. A window will open and close. This is normal.

step 5
Download SDFix and save it to your Desktop.
Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)
Do not run scan yet.
Reboot to safe mode
If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on
Start tapping the F8 key
The Windows Advanced Options Menu appears
Ensure that the Safe Mode option is selected
Press Enter. The computer then begins to start in Safe mode
Login on your usual account

step 6
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

step 7
Download combofix from one of these links:
Link1
Link2
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

step 8
Please, post these logs:
SDFix. Report.txt
combofix.log

ChibiBifu · June 2007

Thanks for the quick response. Here are the two logs you requested. To note, however, HJT has been in its own folder on the desktop until the start. I believe this was brought to my attention the first time I posted here as well. Though, there is a folder called backups included in the folder as well.

Combo Fix: log.txt

"Christopher" - 2007-06-05 11:10:00 Service Pack 2 NTFS
ComboFix 07-06-3 - Running from: "C:\Documents and Settings\Christopher\Desktop\"

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

-- Purity Folders:
C:\boot.exe
C:\DOCUME~1\CHRIST~1\APPLIC~1\АSEMB~1
C:\Program Files\Common Files\УSTEM~1
C:\Program Files\eqadvice
C:\Program Files\eqadvice\hf.txt
C:\Program Files\eqadvice\sf.txt
C:\WINDOWS\keyboard71.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\SYSTEM32\МCROS~1.NET
C:\WINDOWS\SYSTEM32\УSTEM~1
C:\WINDOWS\УSTEM~1

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

\LEGACY_CMDSERVICE

\LEGACY_NETWORK_MONITOR

((((((((((((((((((((((((( Files Created from 2007-05-05 to 2007-06-05 )))))))))))))))))))))))))))))))

2007-05-31 17:51 66,560

C:\bootOS.exe
2007-05-17 11:56 1,156 --a

C:\WINDOWS\mozver.dat
2007-05-14 12:52 <DIR> d

C:\Program Files\BitTorrent_DNA
2007-05-14 12:52 <DIR> d

C:\DOCUME~1\CHRIST~1\APPLIC~1\DNA
2007-05-12 16:27 439,296 --a

C:\DOCUME~1\CHRIST~1\GoToAssist_phone__317_en.exe
2007-05-12 10:14 <DIR> d

C:\Program Files\Common Files\SupportSoft
2007-05-10 21:33 <DIR> d

C:\Program Files\Microsoft CAPICOM 2.1.0.2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-05 14:24:05 41,602 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\wklnhst.dat
2007-05-16 16:11:43

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\BitTorrent
2007-05-14 16:53:37

d

w C:\Program Files\BitTorrent
2007-05-13 11:20:59

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Viewpoint
2007-04-30 21:02:19

d

w C:\Program Files\Google
2007-04-20 18:34:47

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2002-08-29 10:00:00 520,192 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-05-13 17:40:10 56 -csh--r C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
2005-05-13 17:40:10 1,890 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 14:17]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-04-30 16:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-06 14:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-30 16:20]
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-05-14 12:52]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-11-15 13:12]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-05 11:14:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-05 11:15:30 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-05 11:15
C:\ComboFix2.txt ... 2006-12-08 21:33

--- E O F ---

SDFix log

SDFix: Version 1.86

Run by Christopher - 06/05/2007 Tue - 10:54:37.18

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
iiy9ca6iayz0ue

ImagePath:
C:\WINDOWS\system32\aycjkzkyg.exe /service

iiy9ca6iayz0ue - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\AYCJKZ~1.EXE - Deleted
C:\WINDOWS\Uninst2.htm - Deleted
C:\WINDOWS\Unist1.htm - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"C:\\Program Files\\MSN Messenger\\msncall.exe"="C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone)"
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe"="C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1"
"C:\\Program Files\\MSN Messenger\\livecall.exe"="C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone)"
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:

Backups Folder: - C:\SDFix\SDFix\backups\backups.zip

Listing Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Documents and Settings\Christopher\Desktop\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
C:\WINDOWS\Web\aolspy.exe
C:\I386\KGyGaAvL.sys
C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp

Listing User Accounts:

User accounts for \\CGRANT1

Administrator Christopher Guest
HelpAssistant SUPPORT_388945a0 SUPPORT_3f151ab9

Finished

Thanks again.

peku006 · June 2007

Hi ChibiBifu
Good Work!

Please do the following...

step 1
Please visit Virustotal
Click the Browse... button
Navigate to the file C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
Click the Open button
Click the Send button
Copy and paste the results back here please.

step 2
Click Start > Run > type in appwiz.cpl and hit enter. From the list uninstall the following,( if present)
Viewpoint

step 3
Please Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\bootOS.exe

Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot),

step 4
Please download ATF (Atribune Temp File) Cleaner© by Atribune to your desktop.
This program is for XP and Windows 2000 only!
Double-click ATF Cleaner.exe to open it.
Under Main select the following:
* Windows Temp
* Current User Temp
* All Users Temp
* Temporary Internet Files
* Prefetch
* Java Cache
*The other boxes are optional*
NOTE: If you would like to keep your saved passwords, please click No at the prompt
Then click the Empty Selected button.
Click Exit on the Main menu to close the program.

step 5
Print out these instructions or save them with notepad or Word

Start AVG Anti-Spyware
Click the Update icon
Click Start update
Wait until updates are downloaded

If you are having problems with the updater, you can use this link manually update
Click the Scanner icon
Open the Settings tab
- Make sure that under "How to act?" read Quarantine
- (If not, click the text and choose Quarantine)
- Under "How to scan?" all checkboxes should be ticked
- Under "Reports" select Automatically generate report after every scan
  and uncheck Only if threats were found
- Under "What to scan?" select Scan every file
Click the Shield icon
Under the "Resident shield is" click active to make it inactive
Close AVG Anti-Spyware

Reboot to safe mode

If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on
Start tapping the F8 key
The Windows Advanced Options Menu appears
Ensure that the Safe Mode option is selected
Press Enter. The computer then begins to start in Safe mode
Login on your usual account

Close all open windows / programs / folders
Start AVG Anti-Spyware
Click the Scanner icon
Click Complete System Scan
Let the program scan the machine
When the scan has finished, follow the instructions below
- Make sure that under "Set all elements to" read Quarantine

- (If not, click the text and choose Quarantine)
- Click Apply all actions
- Click Save Report
- Click Save reports as
- Save report to your Desktop

step 6
Open HijackThis
- Click the Do a system scan and save a log file button

step 7
Please, post these logs:
virutotal results
AVG Anti-Spyware
combofix.log
hjt-log

ChibiBifu · June 2007

Evening

Virus Total:

Complete scanning result of "F1EF70BCD8.sys", received in VirusTotal at 06.07.2007, 03:21:47 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.05.2007 no virus found
AntiVir 7.4.0.32 06.06.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.06.2007 no virus found
AVG 7.5.0.467 06.06.2007 no virus found
BitDefender 7.2 06.07.2007 no virus found
CAT-QuickHeal 9.00 06.06.2007 no virus found
ClamAV devel-20070416 06.07.2007 no virus found
DrWeb 4.33 06.07.2007 no virus found
eSafe 7.0.15.0 06.06.2007 no virus found
eTrust-Vet 30.7.3698 06.07.2007 no virus found
Ewido 4.0 06.06.2007 no virus found
FileAdvisor 1 06.07.2007 no virus found
Fortinet 2.85.0.0 06.07.2007 no virus found
F-Prot 4.3.2.48 06.06.2007 no virus found
F-Secure 6.70.13030.0 06.07.2007 no virus found
Ikarus T3.1.1.8 06.06.2007 no virus found
Kaspersky 4.0.2.24 06.07.2007 no virus found
McAfee 5047 06.06.2007 no virus found
Microsoft 1.2503 06.06.2007 no virus found
NOD32v2 2314 06.06.2007 no virus found
Norman 5.80.02 06.06.2007 no virus found
Panda 9.0.0.4 06.07.2007 no virus found
Prevx1 V2 06.07.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.04.2007 no virus found
Symantec 10 06.07.2007 no virus found
TheHacker 6.1.6.130 06.06.2007 no virus found
VBA32 3.12.0 06.06.2007 no virus found
VirusBuster 4.3.23:9 06.06.2007 no virus found
Webwasher-Gateway 6.0.1 06.06.2007 no virus found

Aditional Information
File size: 56 bytes
MD5: e35c8b652dc734994494f0268e763c88
SHA1: 494e519a7ebbe248e9caca4649bb87eae7c2b39c

Combo Fix:

"Christopher" - 2007-06-06 21:30:12 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\Christopher\Desktop\ComboFix-Do.txt""

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))

2007-06-06 21:16 95,232 --a

C:\WINDOWS\SYSTEM32\vtjyskhnzuw.exe
2007-06-06 20:44 95,232 --a

C:\WINDOWS\SYSTEM32\kaoqx.exe
2007-06-06 07:15 66,560 --a

C:\WINDOWS\SYSTEM32\zehsxdxqs.exe
2007-06-05 19:03 66,560 --a

C:\WINDOWS\SYSTEM32\jbtz.exe
2007-06-05 14:09 66,560 --a

C:\WINDOWS\SYSTEM32\yjpo.exe
2007-06-05 12:01 66,560 --a

C:\WINDOWS\SYSTEM32\mnflrdosse.exe
2007-06-05 11:58 66,560 --a

C:\WINDOWS\SYSTEM32\bxuqutcwlwcd.exe
2007-06-05 11:15 49,152 --a

C:\WINDOWS\nircmd.exe
2007-05-17 11:56 1,156 --a

C:\WINDOWS\mozver.dat
2007-05-14 12:52 <DIR> d

C:\Program Files\BitTorrent_DNA
2007-05-14 12:52 <DIR> d

C:\DOCUME~1\CHRIST~1\APPLIC~1\DNA
2007-05-12 16:27 439,296 --a

C:\DOCUME~1\CHRIST~1\GoToAssist_phone__317_en.exe
2007-05-12 10:14 <DIR> d

C:\Program Files\Common Files\SupportSoft
2007-05-10 21:33 <DIR> d

C:\Program Files\Microsoft CAPICOM 2.1.0.2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 00:20:26 41,340 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\wklnhst.dat
2007-05-16 16:11:43

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\BitTorrent
2007-05-14 16:53:37

d

w C:\Program Files\BitTorrent
2007-05-13 11:20:59

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Viewpoint
2007-04-30 21:02:19

d

w C:\Program Files\Google
2007-04-20 18:34:47

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2002-08-29 10:00:00 520,192 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-05-13 17:40:10 56 -csh--r C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
2005-05-13 17:40:10 1,890 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 14:17]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-04-30 16:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-06 14:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-30 16:20]
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-05-14 12:52]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"bxuqutcwlwcd"=C:\WINDOWS\system32\bxuqutcwlwcd.exe
"mnflrdosse"=C:\WINDOWS\system32\mnflrdosse.exe
"yjpo"=C:\WINDOWS\system32\yjpo.exe
"jbtz"=C:\WINDOWS\system32\jbtz.exe
"zehsxdxqs"=C:\WINDOWS\system32\zehsxdxqs.exe
"kaoqx"=C:\WINDOWS\system32\kaoqx.exe

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source= C:\WINDOWS\system32\ad.html
FriendlyName=

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-11-15 13:12]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 21:32:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-06 21:33:35
C:\ComboFix-quarantined-files.txt ... 2007-06-06 21:33
C:\ComboFix2.txt ... 2007-06-05 11:15
C:\ComboFix3.txt ... 2006-12-08 21:33

--- E O F ---

AVG Anti-Spyware - Scan Report

+ Created at: 10:19:38 PM 6/6/2007

+ Scan result:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} -> Adware.RogueSuspect : Cleaned with backup (quarantined).
:mozilla.204:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.205:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.210:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.224:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.246:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.247:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.248:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.105:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.106:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.107:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.108:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.109:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.81:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.83:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.84:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.85:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.86:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.110:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.51:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.91:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.92:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.93:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.94:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.95:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.96:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.97:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.98:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.99:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.67:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.82:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.355:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Esomniture : Cleaned.
:mozilla.282:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.283:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.284:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.285:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.286:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Euroclick : Cleaned.
:mozilla.220:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.236:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.281:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.352:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Googleadservices : Cleaned.
:mozilla.219:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.223:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Paypal : Cleaned.
:mozilla.322:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.323:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.324:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.325:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.101:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.102:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.103:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.104:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.199:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.200:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.201:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.202:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.206:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.207:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.208:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.209:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.211:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.212:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.213:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.214:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.345:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.346:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.347:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.348:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.349:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.143:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.144:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.145:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.146:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.147:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.148:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.75:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.76:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.215:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.216:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.217:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.218:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.326:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.329:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Tacoda : Cleaned.
:mozilla.287:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.288:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.289:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.290:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.291:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.292:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.88:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.312:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.313:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.314:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.315:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.316:C:\Documents and Settings\Christopher\Application Data\Mozilla\Firefox\Profiles\o6yp81uq.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

Logfile of HijackThis v1.99.1
Scan saved at 10:24:23 PM, on 6/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\web\aolspy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\v.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Impulse\PolicyKey.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Christopher\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [vtjyskhnzuw] C:\WINDOWS\system32\vtjyskhnzuw.exe
O4 - HKLM\..\Run: [v] C:\WINDOWS\system32\v.exe
O4 - HKLM\..\RunServices: [bxuqutcwlwcd] C:\WINDOWS\system32\bxuqutcwlwcd.exe
O4 - HKLM\..\RunServices: [mnflrdosse] C:\WINDOWS\system32\mnflrdosse.exe
O4 - HKLM\..\RunServices: [yjpo] C:\WINDOWS\system32\yjpo.exe
O4 - HKLM\..\RunServices: [jbtz] C:\WINDOWS\system32\jbtz.exe
O4 - HKLM\..\RunServices: [zehsxdxqs] C:\WINDOWS\system32\zehsxdxqs.exe
O4 - HKLM\..\RunServices: [kaoqx] C:\WINDOWS\system32\kaoqx.exe
O4 - HKLM\..\RunServices: [vtjyskhnzuw] C:\WINDOWS\system32\vtjyskhnzuw.exe
O4 - HKLM\..\RunServices: [v] C:\WINDOWS\system32\v.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146318712046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Print Spooler Service (iiy9ca6iayz0ue) - Unknown owner - C:\WINDOWS\system32\vtjyskhnzuw.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

peku006 · June 2007

Hi ChibiBifu

Please do the following...

step 1
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [vtjyskhnzuw] C:\WINDOWS\system32\vtjyskhnzuw.exe
O4 - HKLM\..\Run: [v] C:\WINDOWS\system32\v.exe
O4 - HKLM\..\RunServices: [bxuqutcwlwcd] C:\WINDOWS\system32\bxuqutcwlwcd.exe
O4 - HKLM\..\RunServices: [mnflrdosse] C:\WINDOWS\system32\mnflrdosse.exe
O4 - HKLM\..\RunServices: [yjpo] C:\WINDOWS\system32\yjpo.exe
O4 - HKLM\..\RunServices: [jbtz] C:\WINDOWS\system32\jbtz.exe
O4 - HKLM\..\RunServices: [zehsxdxqs] C:\WINDOWS\system32\zehsxdxqs.exe
O4 - HKLM\..\RunServices: [kaoqx] C:\WINDOWS\system32\kaoqx.exe
O4 - HKLM\..\RunServices: [vtjyskhnzuw] C:\WINDOWS\system32\vtjyskhnzuw.exe
O4 - HKLM\..\RunServices: [v] C:\WINDOWS\system32\v.exe
O23 - Service: Print Spooler Service (iiy9ca6iayz0ue) - Unknown owner - C:\WINDOWS\system32\vtjyskhnzuw.exel
Close ALL open windows
Click Fix Checked
Close HijackThis

step 2
Please Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\v.exe
C:\WINDOWS\system32\vtjyskhnzuw.exe
C:\WINDOWS\system32\bxuqutcwlwcd.exe
C:\WINDOWS\system32\mnflrdosse.exe
C:\WINDOWS\system32\yjpo.exe
C:\WINDOWS\system32\jbtz.exe
C:\WINDOWS\system32\zehsxdxqs.exe
C:\WINDOWS\system32\kaoqx.exe
C:\WINDOWS\system32\vtjyskhnzuw.exe
C:\WINDOWS\system32\ad.html

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"bxuqutcwlwcd"=-
"mnflrdosse"=-
"yjpo"=-
"jbtz"=-
"zehsxdxqs"=-
"kaoqx"=-
[-HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]

Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, to safe mode
If the computer is running, shut down Windows, and then turn off the power
Wait 30 seconds, and then turn the computer on
Start tapping the F8 key
The Windows Advanced Options Menu appears
Ensure that the Safe Mode option is selected
Press Enter. The computer then begins to start in Safe mode
Login on your usual account

step 3
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop"iiy9ca6iayz0ue"
sc delete"iiy9ca6iayz0ue"

Double click FixServices.bat. A window will open and close. This is normal.

step 4
Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard ready for posting back on the forum).

step5
Download and Save Blacklight to your desktop (choose "I ACCEPT" then click "DOWNLOAD" on the website).
Double-click fsbl.exe then accept the agreement, click > "Scan" then > "Next".
You'll see a list of all items found. There will also be a log on your desktop with the name "fsbl.xxxxxxxxxxxxxx.log" (the xxxxxxxxxxxxxx stand for numbers).
DON'T choose Rename if something was found!

step 6
Open HijackThis
- Click the Do a system scan and save a log file button
step 7

Please, post these logs:
SDFix. Report.txt
combofix.log
fsbl.log
hjt-log

ChibiBifu · June 2007

Hi Hi!

SDFix: Version 1.86

Run by Christopher - 06/07/2007 Thu - 14:37:38.04

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix\SDFix

Safe Mode:
Checking Services:

Name:
iiy9ca6iayz0ue
iiy9ca6iayz0ue

ImagePath:
C:\WINDOWS\system32\v.exe /service
C:\WINDOWS\system32\v.exe /service

iiy9ca6iayz0ue - Deleted

Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:
Checking Files:

No Trojan Files Found

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Checking if ADS is attached to ntoskrnl.exe
C:\WINDOWS\system32\ntoskrnl.exe
No streams found.

Final Check:

Remaining Services:

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"

Remaining Files:

Listing Files with Hidden Attributes:

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Documents and Settings\Christopher\Desktop\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
C:\WINDOWS\Web\aolspy.exe
C:\I386\KGyGaAvL.sys
C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
C:\WINDOWS\SYSTEM32\KGyGaAvL.sys
C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp
C:\WINDOWS\SYSTEM32\CONFIG\DEFAULT.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SAM.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SECURITY.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SOFTWARE.tmp.LOG
C:\WINDOWS\SYSTEM32\CONFIG\SYSTEM.tmp.LOG

Listing User Accounts:

User accounts for \\CGRANT1

Administrator Christopher Guest
HelpAssistant SUPPORT_388945a0 SUPPORT_3f151ab9

Finished

"Christopher" - 2007-06-07 14:27:28 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\Christopher\Desktop\ComboFix-Do.txt""

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\bxuqutcwlwcd.exe
C:\WINDOWS\system32\jbtz.exe
C:\WINDOWS\system32\kaoqx.exe
C:\WINDOWS\system32\mnflrdosse.exe
C:\WINDOWS\system32\v.exe
C:\WINDOWS\system32\vtjyskhnzuw.exe
C:\WINDOWS\system32\yjpo.exe
C:\WINDOWS\system32\zehsxdxqs.exe

((((((((((((((((((((((((( Files Created from 2007-05-07 to 2007-06-07 )))))))))))))))))))))))))))))))

2007-06-05 11:15 49,152 --a

C:\WINDOWS\nircmd.exe
2007-05-17 11:56 1,156 --a

C:\WINDOWS\mozver.dat
2007-05-14 12:52 <DIR> d

C:\Program Files\BitTorrent_DNA
2007-05-14 12:52 <DIR> d

C:\DOCUME~1\CHRIST~1\APPLIC~1\DNA
2007-05-12 16:27 439,296 --a

C:\DOCUME~1\CHRIST~1\GoToAssist_phone__317_en.exe
2007-05-12 10:14 <DIR> d

C:\Program Files\Common Files\SupportSoft
2007-05-10 21:33 <DIR> d

C:\Program Files\Microsoft CAPICOM 2.1.0.2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-07 12:50:42 41,186 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\wklnhst.dat
2007-06-07 10:56:48

d

w C:\Program Files\Microsoft AntiSpyware
2007-05-16 16:11:43

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\BitTorrent
2007-05-14 16:53:37

d

w C:\Program Files\BitTorrent
2007-05-13 11:20:59

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Viewpoint
2007-04-30 21:02:19

d

w C:\Program Files\Google
2007-04-20 18:34:47

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys
2002-08-29 10:00:00 520,192 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-05-13 17:40:10 56 -csh--r C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
2005-05-13 17:40:10 1,890 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 14:17]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-04-30 16:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-06 14:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-30 16:20]
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-05-14 12:52]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-11-15 13:12]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-07 14:30:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [2432]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-07 14:30:58
C:\ComboFix-quarantined-files.txt ... 2007-06-07 14:30
C:\ComboFix2.txt ... 2007-06-06 21:33
C:\ComboFix3.txt ... 2007-06-05 11:15

--- E O F ---

06/07/07 14:48:14 [Info]: BlackLight Engine 1.0.61 initialized
06/07/07 14:48:14 [Info]: OS: 5.1 build 2600 (Service Pack 2)
06/07/07 14:48:15 [Note]: 7019 4
06/07/07 14:48:15 [Note]: 7005 0
06/07/07 14:48:18 [Note]: 7006 0
06/07/07 14:48:18 [Note]: 7011 1424
06/07/07 14:48:19 [Note]: 7026 0
06/07/07 14:48:19 [Note]: 7026 0
06/07/07 14:48:23 [Note]: FSRAW library version 1.7.1021
06/07/07 15:02:03 [Note]: 2000 1012
06/07/07 15:02:03 [Note]: 2000 1012
06/07/07 15:02:03 [Note]: 2000 1012
06/07/07 15:02:03 [Note]: 2000 1012
06/07/07 15:02:03 [Note]: 2000 1012
06/07/07 15:02:03 [Note]: 2000 1012
06/07/07 15:02:03 [Note]: 2000 1012
06/07/07 15:06:39 [Note]: 7007 0

Logfile of HijackThis v1.99.1
Scan saved at 3:07:04 PM, on 6/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\web\aolspy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\conime.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\BitTorrent\bittorrent.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Impulse\PolicyKey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christopher\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146318712046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

peku006 · June 2007

Hi ChibiBifu
Good Work!

we have two things to do
step 1
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
Close ALL open windows
Click Fix Checked
Close HijackThis

step 2
Please run this online scan:
Panda ActiveScan

Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, and fresh hjt-log

ChibiBifu · June 2007

Good morning,

Unfortunately, much like the previous times I was asked to visit that website, the update always failed. Today was no different.

Logfile of HijackThis v1.99.1
Scan saved at 8:07:25 AM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\web\aolspy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\uabgkolmb.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Impulse\PolicyKey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Christopher\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [uabgkolmb] C:\WINDOWS\system32\uabgkolmb.exe
O4 - HKLM\..\Run: [najs] C:\WINDOWS\system32\najs.exe
O4 - HKLM\..\RunServices: [uabgkolmb] C:\WINDOWS\system32\uabgkolmb.exe
O4 - HKLM\..\RunServices: [najs] C:\WINDOWS\system32\najs.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146318712046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: Print Spooler Service (iiy9ca6iayz0ue) - Unknown owner - C:\WINDOWS\system32\najs.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

peku006 · June 2007

Hi ChibiBifu
dont worry if you cant run panda activescan
you can do that later

Please do the following...

step 1
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O4 - HKLM\..\Run: [uabgkolmb] C:\WINDOWS\system32\uabgkolmb.exe
O4 - HKLM\..\Run: [najs] C:\WINDOWS\system32\najs.exe
O4 - HKLM\..\RunServices: [uabgkolmb] C:\WINDOWS\system32\uabgkolmb.exe
O4 - HKLM\..\RunServices: [najs] C:\WINDOWS\system32\najs.exe
O23 - Service: Print Spooler Service (iiy9ca6iayz0ue) - Unknown owner - C:\WINDOWS\system32\najs.exe

Close ALL open windows
Click Fix Checked
Close HijackThis

step 2
Please copy (Ctrl+C) and paste (Ctrl+V) the following text in the quote to Notepad. Save it as "All Files" and name it FixServices.bat Please save it on your desktop.

@echo off
sc stop iiy9ca6iayz0ue
sc delete iiy9ca6iayz0ue

Double click FixServices.bat. A window will open and close. This is normal.

step 3
Please Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\uabgkolmb.exe
C:\WINDOWS\system32\najs.exe

Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot),

step 4
Download WinPFind by OldTimer here
Double click on winpfind.exe to extract it
Click extract
Wait for the message "All files have been extracted" and then click OK
This will create the folder winPFind on your desktop
Inside that folder is a file called WinPFind.exe
Double click on that file to launch WinPFind
This will launch a configuration screen
Under Driver Services change the selection to Non-Microsoft
Under File Created Within change the selection to 60 days
Leave the other settings as they are
Click Run Scan
During the scan WinPFind may appear to be not responding, this is normal
Wait for the scan to finish, this may take several minutes
A notepad window will open with WinPFind's log.
Copy and paste the contents of that window here.
Note: You may need several posts to post the entire log, or it might get cut off

step 5
Open HijackThis
- Click the Do a system scan and save a log file button

step 6
Please, post these logs:
combofix.log
WinPFind log
hjt-log

ChibiBifu · June 2007

Back once again.

Logfile of HijackThis v1.99.1
Scan saved at 3:20:36 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\web\aolspy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Impulse\PolicyKey.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Christopher\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunServices: [iqptn] C:\WINDOWS\system32\iqptn.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146318712046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

"Christopher" - 2007-06-09 15:09:04 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\Christopher\Desktop\ComboFix-Do.txt""

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\k.exe
C:\WINDOWS\system32\najs.exe
C:\WINDOWS\system32\uabgkolmb.exe

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

2007-06-08 16:56 99,328 --a

C:\WINDOWS\SYSTEM32\iqptn.exe
2007-06-05 11:15 49,152 --a

C:\WINDOWS\nircmd.exe
2007-05-17 11:56 1,156 --a

C:\WINDOWS\mozver.dat
2007-05-14 12:52 <DIR> d

C:\Program Files\BitTorrent_DNA
2007-05-14 12:52 <DIR> d

C:\DOCUME~1\CHRIST~1\APPLIC~1\DNA
2007-05-12 16:27 439,296 --a

C:\DOCUME~1\CHRIST~1\GoToAssist_phone__317_en.exe
2007-05-12 10:14 <DIR> d

C:\Program Files\Common Files\SupportSoft
2007-05-10 21:33 <DIR> d

C:\Program Files\Microsoft CAPICOM 2.1.0.2

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-09 12:42:40 41,494 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\wklnhst.dat
2007-06-07 10:56:48

d

w C:\Program Files\Microsoft AntiSpyware
2007-05-16 16:11:43

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\BitTorrent
2007-05-14 16:53:37

d

w C:\Program Files\BitTorrent
2007-05-13 11:20:59

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Viewpoint
2007-04-30 21:02:19

d

w C:\Program Files\Google
2007-04-20 18:34:47

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2002-08-29 10:00:00 520,192 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-05-13 17:40:10 56 -csh--r C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
2005-05-13 17:40:10 1,890 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 14:17]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-04-30 16:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-06 14:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-30 16:20]
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-05-14 12:52]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"iqptn"=C:\WINDOWS\system32\iqptn.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-11-15 13:12]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 15:12:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [3132]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 15:12:36
C:\ComboFix-quarantined-files.txt ... 2007-06-09 15:12
C:\ComboFix2.txt ... 2007-06-07 14:30
C:\ComboFix3.txt ... 2007-06-06 21:33

--- E O F ---

ChibiBifu · June 2007

WinPFind logfile created on: 6/9/2007 3:14:39 PM
WinPFind by OldTimer - v2.0.3 Folder = C:\Documents and Settings\Christopher\Desktop\WinPFind\

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Windows OS and Versions ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ

Product Name: Microsoft Windows XP Service Pack 2 | Version: 5.1.2600
Internet Explorer Version: 6.0.2900.2180

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Memory/Drive Info ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ

511.21 Mb Total Physical Memory | 222.43 Mb Available Physical Memory | 43.51% Memory free
1.22 Gb Paging File | 0.98 Gb Available in Paging File | 80.40% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 52.83 Gb Total Space | 15.24 Gb Free Space | 28.84% Space Free
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: CGRANT1
Current User Name: Christopher
Logged in as Administrator.
Current Boot Mode: Normal

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Running Processes (Non-Microsoft) ｻｻｻｻｻｻｻｻ

C:\Documents and Settings\Christopher\Desktop\WinPFind\WinPFind.exe (OldTimer Tools)
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe (ATI Technologies Inc.)
C:\Program Files\BitTorrent_DNA\dna.exe ()
C:\Program Files\Common Files\AOL\ACS\acsd.exe (America Online, Inc.)
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (Google Inc.)
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)
C:\Program Files\Grisoft\AVG Free\avgamsvr.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG Free\avgcc.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG Free\avgemc.exe (GRISOFT, s.r.o.)
C:\Program Files\Grisoft\AVG Free\avgupsvc.exe (GRISOFT, s.r.o.)
C:\Program Files\Impulse\PolicyKey.exe ()
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe (Sun Microsystems, Inc.)
C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)
C:\WINDOWS\SYSTEM32\ati2evxx.exe ()
C:\WINDOWS\SYSTEM32\ati2evxx.exe ()
C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE (Dell Computer Corporation)
C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE ()
C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)
C:\WINDOWS\Web\aolspy.exe ()

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Win32 Services (Non-Microsoft) ｻｻｻｻｻｻｻｻｻｻｻ

(Adobe LM Service) Adobe LM Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe (Adobe Systems)

(AOL ACS) AOL Connectivity Service [Win32_Own | Auto | Running]
= C:\Program Files\Common Files\AOL\ACS\acsd.exe (America Online, Inc.)

(AOL_SpywareServ) AOL Anti-Spyware Service [Win32_Own | Auto | Running]
= C:\WINDOWS\Web\aolspy.exe ()

(Ati HotKey Poller) Ati HotKey Poller [Win32_Own | Auto | Running]
= C:\WINDOWS\SYSTEM32\ati2evxx.exe ()

(AVG Anti-Spyware Guard) AVG Anti-Spyware Guard [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe (Anti-Malware Development a.s.)

(Avg7Alrt) AVG7 Alert Manager Server [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG Free\avgamsvr.exe (GRISOFT, s.r.o.)

(Avg7UpdSvc) AVG7 Update Service [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG Free\avgupsvc.exe (GRISOFT, s.r.o.)

(AVGEMS) AVG E-mail Scanner [Win32_Own | Auto | Running]
= C:\Program Files\Grisoft\AVG Free\avgemc.exe (GRISOFT, s.r.o.)

(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\dmadmin.exe (Microsoft Corp., Veritas Software)

(gusvc) Google Updater Service [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe (Google)

(IDriverT) InstallDriver Table Manager [Win32_Own | On_Demand | Stopped]
= C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe (Macrovision Corporation)

(WANMiniportService) WAN Miniport (ATW) Service [Win32_Own | Auto | Running]
= C:\WINDOWS\wanmpsvc.exe (America Online, Inc.)

(WLTRYSVC) WLTRYSVC [Win32_Own | Auto | Running]
= C:\WINDOWS\System32\WLTRYSVC.EXE C:\WINDOWS\System32\bcmwltry.exe (File not found)

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Driver Services (Non-Microsoft) ｻｻｻｻｻｻｻｻｻｻ

(Abiosdsk) Abiosdsk [Kernel | Disabled | Stopped]
= (File not found)

(AliIde) AliIde [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\ALIIDE.SYS (Acer Laboratories Inc.)

(amdagp) AMD AGP Bus Filter Driver [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\amdagp.sys (Advanced Micro Devices, Inc.)

(ApfiltrService) Alps Touch Pad Filter Driver for Windows 2000/XP [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\Apfiltr.sys (Alps Electric Co., Ltd.)

(asc) asc [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\ASC.SYS (Advanced System Products, Inc.)

(asc3550) asc3550 [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\ASC3550.SYS (Advanced System Products, Inc.)

(ASCTRM) ASCTRM [Kernel | Auto | Running]
= C:\WINDOWS\System32\drivers\asctrm.sys (Windows (R) 2000 DDK provider)

(Atdisk) Atdisk [Kernel | Disabled | Stopped]
= (File not found)

(ati2mtag) ati2mtag [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\ati2mtag.sys (ATI Technologies Inc.)

(AVG Anti-Spyware Driver) AVG Anti-Spyware Driver [Kernel | System | Running]
= C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ()

(Avg7Core) AVG7 Kernel [Kernel | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys (GRISOFT, s.r.o.)

(Avg7RsW) AVG7 Wrap Driver [Kernel | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsw.sys (GRISOFT, s.r.o.)

(Avg7RsXP) AVG7 Resident Driver XP [Kernel | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys (GRISOFT, s.r.o.)

(AvgAsCln) AVG Anti-Spyware Clean Driver [Kernel | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys (GRISOFT, s.r.o.)

(AvgClean) AVG7 Clean Driver [Kernel | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\avgclean.sys (GRISOFT, s.r.o.)

(AvgTdi) AVG Network Redirector [Kernel | Auto | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\avgtdi.sys (GRISOFT, s.r.o.)

(BCM43XX) Dell Wireless WLAN Card Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\BCMWL5.SYS (Broadcom Corporation)

(bcm4sbxp) Broadcom 440x 10/100 Integrated Controller XP Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\bcm4sbxp.sys (Broadcom Corporation)

(BCMModem) BCM V.92 56K Modem [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\BCMSM.sys (Broadcom Corporation)

(bvrp_pci) bvrp_pci [Kernel | On_Demand | Stopped]
= (File not found)

(cdspacex) cdspacex [Kernel | On_Demand | Stopped]
= System32\DRIVERS\CDSPACEX.sys (File not found)

(Changer) Changer [Kernel | System | Stopped]
= (File not found)

(CmdIde) CmdIde [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\CMDIDE.SYS (CMD Technology, Inc.)

(dac2w2k) dac2w2k [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\DAC2W2K.SYS (Mylex Corporation)

(dmboot) dmboot [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\dmboot.sys (Microsoft Corp., Veritas Software)

(dmio) dmio [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\dmio.sys (Microsoft Corp., Veritas Software)

(dmload) dmload [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\DMLOAD.SYS (Microsoft Corp., Veritas Software.)

(drvmcdb) drvmcdb [Kernel | Boot | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\drvmcdb.sys (Sonic Solutions)

(drvnddm) drvnddm [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\drvnddm.sys (Sonic Solutions)

(EL90XBC) 3Com EtherLink XL 90XB/C Adapter Driver [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\EL90XBC5.SYS (3Com Corporation)

(Heldfn94a) Heldfn94a [Kernel | Disabled | Stopped]
= (File not found)

(i81x) i81x [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\i81xnt5.sys (Intel(R) Corporation)

(iAimFP0) iAimFP0 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\wadv01nt.sys (Intel(R) Corporation)

(iAimFP1) iAimFP1 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\wadv02nt.sys (Intel(R) Corporation)

(iAimFP2) iAimFP2 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\wadv05nt.sys (Intel(R) Corporation)

(iAimFP3) iAimFP3 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\wsiintxx.sys (Intel(R) Corporation)

(iAimFP4) iAimFP4 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\wvchntxx.sys (Intel(R) Corporation)

(iAimTV0) iAimTV0 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\watv01nt.sys (Intel(R) Corporation)

(iAimTV1) iAimTV1 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\watv02nt.sys (Intel(R) Corporation)

(iAimTV2) iAimTV2 [Kernel | On_Demand | Stopped]
= System32\DRIVERS\wATV03nt.sys (File not found)

(iAimTV3) iAimTV3 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\watv04nt.sys (Intel(R) Corporation)

(iAimTV4) iAimTV4 [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\wch7xxnt.sys (Intel(R) Corporation)

(lbrtfdc) lbrtfdc [Kernel | System | Stopped]
= (File not found)

(MDC8021X) AEGIS Protocol (IEEE 802.1x) v2.3.1.7 [Kernel | Auto | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\mdc8021x.sys (Meetinghouse Data Communications)

(mraid35x) mraid35x [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\MRAID35X.SYS (American Megatrends Inc.)

(nv) nv [Kernel | On_Demand | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\nv4_mini.sys (NVIDIA Corporation)

(omci) OMCI WDM Device Driver [Kernel | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\omci.sys (Dell Inc)

(PCIDump) PCIDump [Kernel | System | Stopped]
= (File not found)

(PDCOMP) PDCOMP [Kernel | On_Demand | Stopped]
= (File not found)

(PDFRAME) PDFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(PDRELI) PDRELI [Kernel | On_Demand | Stopped]
= (File not found)

(PDRFRAME) PDRFRAME [Kernel | On_Demand | Stopped]
= (File not found)

(pfc) Padus ASPI Shell [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\pfc.sys (Padus, Inc.)

(Ptilink) Direct Parallel Link Driver [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\PTILINK.SYS (Parallel Technologies, Inc.)

(PxHelp20) PxHelp20 [Kernel | Boot | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\pxhelp20.sys (Sonic Solutions)

(ql1080) ql1080 [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\QL1080.SYS (QLogic Corporation)

(ql12160) ql12160 [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\QL12160.SYS (QLogic Corporation)

(ql1280) ql1280 [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\QL1280.SYS (QLogic Corporation)

(SCDEmu) SCDEmu [Kernel | System | Running]
= C:\WINDOWS\System32\drivers\scdemu.sys (PowerISO Computing, Inc.)

(Secdrv) Secdrv [Kernel | Auto | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\secdrv.sys ()

(Simbad) Simbad [Kernel | Disabled | Stopped]
= (File not found)

(sisagp) SIS AGP Bus Filter [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\sisagp.sys (Silicon Integrated Systems Corporation)

(Sparrow) Sparrow [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\SPARROW.SYS (Adaptec, Inc.)

(sscdbhk5) sscdbhk5 [File_System | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\sscdbhk5.sys (Sonic Solutions)

(ssrtln) ssrtln [File_System | System | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\ssrtln.sys (Sonic Solutions)

(STAC97) Audio Driver (WDM) - SigmaTel CODEC [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\stac97.sys (SigmaTel, Inc.)

(symc810) symc810 [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\SYMC810.SYS (Symbios Logic Inc.)

(symc8xx) symc8xx [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\SYMC8XX.SYS (LSI Logic)

(sym_hi) sym_hi [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\SYM_HI.SYS (LSI Logic)

(sym_u3) sym_u3 [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\SYM_U3.SYS (LSI Logic)

(tfsnboio) tfsnboio [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsnboio.sys (Sonic Solutions)

(tfsncofs) tfsncofs [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsncofs.sys (Sonic Solutions)

(tfsndrct) tfsndrct [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsndrct.sys (Sonic Solutions)

(tfsndres) tfsndres [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsndres.sys (Sonic Solutions)

(tfsnifs) tfsnifs [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsnifs.sys (Sonic Solutions)

(tfsnopio) tfsnopio [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsnopio.sys (Sonic Solutions)

(tfsnpool) tfsnpool [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsnpool.sys (Sonic Solutions)

(tfsnudf) tfsnudf [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsnudf.sys (Sonic Solutions)

(tfsnudfa) tfsnudfa [File_System | Auto | Running]
= C:\WINDOWS\SYSTEM32\dla\tfsnudfa.sys (Sonic Solutions)

(TwoRabts) Two Rabbits Live Bus [Kernel | On_Demand | Stopped]
= System32\DRIVERS\TwoRabts.sys (File not found)

(ultra) ultra [Kernel | Disabled | Stopped]
= C:\WINDOWS\SYSTEM32\DRIVERS\ULTRA.SYS (Promise Technology, Inc.)

(vsdatant) vsdatant [Kernel | Disabled | Stopped]
= (File not found)

(wanatw) WAN Miniport (ATW) [Kernel | On_Demand | Running]
= C:\WINDOWS\SYSTEM32\DRIVERS\wanatw4.sys (America Online, Inc.)

(WDICA) WDICA [Kernel | On_Demand | Stopped]
= (File not found)

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Registry Items (Non-Microsoft) ｻｻｻｻｻｻｻｻｻｻｻ

ChibiBifu · June 2007

>>>>> Run Keys and Auto-Start Folders <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
AVG7_CC = C:\Program Files\Grisoft\AVG Free\avgcc.exe (GRISOFT, s.r.o.)
HydraVisionDesktopManager = C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe (ATI Technologies Inc.)
QuickTime Task = C:\Program Files\QuickTime\qttask.exe (Apple Computer, Inc.)
SunJavaUpdateSched = C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe (Sun Microsystems, Inc.)
tgcmd = C:\Program Files\Support.com\bin\tgcmd.exe (File not found)

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
Aim6 = C:\Program Files\AIM6\aim6.exe (AOL LLC)
BitTorrent = C:\Program Files\BitTorrent\bittorrent.exe ()
DNA = C:\Program Files\BitTorrent_DNA\dna.exe ()
swg = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (Google Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnceEx]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
iqptn = C:\WINDOWS\SYSTEM32\iqptn.exe ()

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
Installed = 1
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
Installed = 1

< Common Startup Folder = C:\Documents and Settings\All Users\Start Menu\Programs\Startup >
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\DESKTOP.INI ()

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\PolicyKey.lnk
= C:\Program Files\Impulse\PolicyKey.exe ()

< User Startup Folder = C:\Documents and Settings\Christopher\Start Menu\Programs\Startup >
C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\Adobe Gamma.lnk
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)

C:\Documents and Settings\Christopher\Start Menu\Programs\Startup\DESKTOP.INI ()

>>>>> MsConfig Disabled Items <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg]
key = SOFTWARE\Microsoft\Windows\CurrentVersion\Run
item =
hkey = HKLM
command =
inimapping = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\state]
system.ini = 0
win.ini = 0
bootini = 0
services = 0
startup = 0

>>>>> Disabled Startup Folder Items <<<<<

>>>>> Items Started Through Miscellaneous Registry Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
{57B86673-276A-48B2-BAE7-C6DBB3020EB8} = AVG Anti-Spyware 7.5 ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll (Anti-Malware Development a.s.) )

>>>>> Winlogon Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\AtiExtEvent]
DllName = C:\WINDOWS\SYSTEM32\ati2evxx.dll ()

>>>>> HOSTS File <<<<<

HOSTS file found at: C:\WINDOWS\System32\drivers\etc\Hosts (Size: 686 bytes | Modified Date: 6/7/2007 2:38:06 PM)
127.0.0.1 localhost

>>>>> Desktop Components <<<<<

>>>>> Internet Explorer Settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Page_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Default_Search_URL = http://www.google.com/ie
Local Page = C:\WINDOWS\system32\blank.htm
Search Bar = http://home.microsoft.com/search/lobby/search.asp
Search Page = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
Start Page = about:blank

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Search]
CustomizeSearch = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchcust.htm
Default_Search_URL = http://www.google.com/ie
SearchAssistant = http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main]
Default_Search_URL = http://home.microsoft.com/search/search.asp
Local Page = C:\WINDOWS\system32\blank.htm
Search Bar = http://www.google.com/ie
Search Page = http://www.google.com
Start Page = http://www.yahoo.com/

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Search]
SearchAssistant = http://www.google.com/ie

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
ProxyEnable = 0

>>>>> Browser Helper Objects <<<<<

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
- AcroIEHlprObj Class ( HKLM = C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx () )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
- Reg Data - Value does not exist ( HKLM = C:\Program Files\Spybot - Search & Destroy\SDHelper.dll (Safer Networking Limited) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{5CA3D70E-1895-11CF-8E15-001234567890}]
- DriveLetterAccess ( HKLM = C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
- SSVHelper Class ( HKLM = C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}]
- AOL Toolbar Launcher ( HKLM = C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (America Online, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
- Google Toolbar Helper ( HKLM = c:\program files\Google\googletoolbar2.dll (Google Inc.) )

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

>>>>> HKLM Internet Explorer Bars <<<<<

>>>>> HKCU Internet Explorer Bars <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Explorer Bars\{32683183-48a0-441b-a342-7c2a440a9478}]
- Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )

>>>>> HKLM Internet Explorer ToolBars <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar]
{2318C2B1-4965-11d4-9B18-009027A5CD4F} - &Google ( HKLM = c:\program files\Google\googletoolbar2.dll (Google Inc.) )
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar ( HKLM = C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (America Online, Inc.) )

>>>>> HKCU Internet Explorer ToolBars <<<<<

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\ToolBar\WebBrowser]
{2318C2B1-4965-11D4-9B18-009027A5CD4F} - &Google ( HKLM = c:\program files\Google\googletoolbar2.dll (Google Inc.) )
{4E7BD74F-2B8D-469E-93BE-BE2DF4D9AE29} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar ( HKLM = C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (America Online, Inc.) )

>>>>> HKCU Internet Explorer CmdMapping <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping]
{08B0E5C0-4FCB-11CF-AAA5-00401C608501} = 8192 - Web Browser Applet Control ( HKLM = C:\WINDOWS\System32\msjava.dll (File not found) )
{3369AF0D-62E9-4bda-8103-B4C75499B578} = 8200 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{6685509E-B47B-4f47-8E16-9A5F3A62F683} = 8197 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} = 8195 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} = 8196 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{CD67F990-D8E9-11d2-98FE-00C0F0318AFE} = 8194 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
{FB5F1910-F110-11d2-BB9E-00C04F795683} = 8198 - Reg Data - Key not found ( HKLM = Reg Data - Key not found (File not found) )
NextId = 8201

>>>>> HKLM Internet Explorer Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{08B0E5C0-4FCB-11CF-AAA5-00401C608501}]
MenuText = Sun Java Console
ClsidExtension = {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - Java Plug-in 1.6.0_01 ( HKLM C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll (Sun Microsystems, Inc.) )
ClsidExtension = {CAFEEFAC-0016-0000-0001-ABCDEFFEDCBC} - Java Plug-in 1.6.0_01 ( HKCU C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll (Sun Microsystems, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{3369AF0D-62E9-4bda-8103-B4C75499B578}]
ButtonText = AOL Toolbar
ClsidExtension = {DE9C389F-3316-41A7-809B-AA305ED9D922} - AOL Toolbar ( HKLM C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll (America Online, Inc.) )

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{AC9E2541-2814-11d5-BC6D-00B0D0A1DE45}]
ButtonText = AIM
Exec = C:\Program Files\AIM\aim.exe (America Online, Inc.)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\{CD67F990-D8E9-11d2-98FE-00C0F0318AFE}]
ButtonText = Real.com

>>>>> HKCU Internet Explorer Menu Extensions <<<<<

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&AIM Search]
@ = C:\Program Files\AIM Toolbar\AIMBar.dll\aimsearch.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\&AOL Toolbar Search]
@ = c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.htm (File not found)

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open Client to monitor &1]
@ = C:\WINDOWS\Web\AOpenClient.htm ()

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\MenuExt\Open Client to monitor &2]
@ = C:\WINDOWS\Web\AOpenClient.htm ()

>>>>> HKLM Internet Explorer Plugins Extensions <<<<<

>>>>> HKLM Approved Shell Extensions <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} = Shell Autoplay for Slideshow ( HKLM = Reg Data - Key not found (File not found) )
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = Taskbar and Start Menu ( HKLM = Reg Data - Key not found (File not found) )
{32683183-48a0-441b-a342-7c2a440a9478} = Media Band ( CLSID not found! )
{42071714-76d4-11d1-8b24-00a0c9068ff3} = Display Panning CPL Extension ( HKLM = deskpan.dll (File not found) )
{45AC2688-0253-4ED8-97DE-B5370FA7D48A} = Shell Extension for Malware scanning ( CLSID not found! )
{5CA3D70E-1895-11CF-8E15-001234567890} = DriveLetterAccess ( HKLM = C:\WINDOWS\SYSTEM32\dla\tfswshx.dll (Sonic Solutions) )
{764BF0E1-F219-11ce-972D-00AA00A14F56} = Shell extensions for file compression ( CLSID not found! )
{7A9D77BD-5403-11d2-8785-2E0420524153} = User Accounts ( HKLM = Reg Data - Key not found (File not found) )
{853FE2B1-B769-11d0-9C4E-00C04FB6C6FA} = Encryption Context Menu ( CLSID not found! )
{88895560-9AA2-1069-930E-00AA0030EBC8} = HyperTerminal Icon Ext ( HKLM = C:\WINDOWS\System32\hticons.dll (File not found) )
{955B7B84-5308-419c-8ED8-0B9CA3C56985} = 6 Months of AOL Included ( HKLM = C:\Program Files\Common Files\aolshare\shell\us\shellext.dll (America Online, Inc.) )
{967B2D40-8B7D-4127-9049-61EA0C2C6DCE} = PowerISO ( HKLM = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) )
{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = AVG7 Shell Extension Class ( HKLM = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )
{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} = AVG7 Find Extension Class ( HKLM = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )
{DEE12703-6333-4D4E-8F34-738C4DCC2E04} = RecordNow! SendToExt ( HKLM = C:\Program Files\Sonic\RecordNow!\shlext.dll () )

>>>>> HKCU Approved Shell Extensions <<<<<

>>>>> Context Menu Handlers / Column Handlers <<<<<

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@ = {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ( HKLM = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\PowerISO]
@ = {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} ( HKLM = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\*\shellex\ContextMenuHandlers\WinRAR]
@ = Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\AVG Anti-Spyware]
@ = {8934FCEF-F5B8-468f-951F-78A921CD3920} ( HKLM = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll (Anti-Malware Development a.s.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\PowerISO]
@ = {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} ( HKLM = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Directory\shellex\ContextMenuHandlers\WinRAR]
@ = Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shell\Browse with Paint Shop Pro 8\command]
@ = "C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\\Paint Shop Pro.exe" "/Browse" "%L" (C:\Program Files\Jasc Software Inc\Paint Shop Pro 8\Paint Shop Pro.exe (Jasc Software, Inc.))

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\AVG7 Shell Extension]
@ = {9F97547E-4609-42C5-AE0C-81C61FFAEBC3} ( HKLM = C:\Program Files\Grisoft\AVG Free\avgse.dll (GRISOFT, s.r.o.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\PowerISO]
@ = {967B2D40-8B7D-4127-9049-61EA0C2C6DCE} ( HKLM = C:\Program Files\PowerISO\PWRISOSH.DLL (PowerISO Computing, Inc.) )

[HKEY_LOCAL_MACHINE\Software\Classes\Folder\shellex\ContextMenuHandlers\WinRAR]
@ = Reg Data - Value does not exist ( HKLM = Reg Data - Key not found (File not found) )

>>>>> Policy Keys <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum]
{BDEADF00-C265-11D0-BCED-00A0C90AB50F} = 1
{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} = 1073741857
{0DF44EAA-FF21-4412-828E-260A8728E7F1} = 32

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
dontdisplaylastusername = 0
legalnoticecaption =
legalnoticetext =
shutdownwithoutlogon = 1
undockwithoutlogon = 1

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies]*

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
NoDriveTypeAutoRun = 145

[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer]*

ChibiBifu · June 2007

>>>>> Security Providers <<<<<

>>>>> Session Manager Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager]
BootExecute = autocheck autochk *;
ExcludeFromKnownDlls =

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment]
ComSpec = %SystemRoot%\system32\cmd.exe ( C:\WINDOWS\SYSTEM32\cmd.exe (Microsoft Corporation) )
TEMP = %SystemRoot%\TEMP
TMP = %SystemRoot%\TEMP
windir = %SystemRoot%

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\Path]
%SystemRoot%\system32
%SystemRoot%
%SystemRoot%\System32\Wbem
C:\Program Files\ATI Technologies\ATI Control Panel
C:\PROGRA~1\COMMON~1\SONICS~1\
C:\Program Files\Common Files\Adobe\AGL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\\PATHEXT]
.COM
.EXE
.BAT
.CMD
.VBS
.VBE
.JS
.JSE
.WSF
.WSH

>>>>> WOW Settings <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WOW]
cmdline = %SystemRoot%\system32\ntvdm.exe
wowcmdline = %SystemRoot%\system32\ntvdm.exe -a %SystemRoot%\system32\krnl386

>>>>> User Agent Post Platform <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform]
sv1 =

>>>>> File Associations <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>\]
.bat [@ = batfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.cmd [@ = cmdfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.com [@ = comfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.cpl [@ = cplfile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.exe [@ = exefile] -> PersistentHandler = {098f2470-bae0-11cd-b579-08002b30bfeb}
.hta [@ = htafile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.html [@ = htmlfile] -> PersistentHandler = {eec97550-47a9-11cf-b952-00aa0051fe20}
.inf [@ = inffile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.ini [@ = inifile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.url [@ = InternetShortcut] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.js [@ = JSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.jse [@ = JSEFile] -> PersistentHandler = Reg Data - Key not found
.pif [@ = piffile] -> PersistentHandler = Reg Data - Key not found
.reg [@ = regfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.scr [@ = scrfile] -> PersistentHandler = Reg Data - Key not found
.txt [@ = txtfile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.vbe [@ = VBEFile] -> PersistentHandler = Reg Data - Key not found
.vbs [@ = VBSFile] -> PersistentHandler = {5e941d80-bf96-11cd-b579-08002b30bfeb}
.wsf [@ = WSFFile] -> PersistentHandler = Reg Data - Key not found
.wsh [@ = WSHFile] -> PersistentHandler = Reg Data - Key not found

>>>>> Registry Shell Spawning <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
batfile [open] -> "%1" %* (File not found)
batfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

cmdfile [edit] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
cmdfile [open] -> "%1" %* (File not found)
cmdfile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

comfile [open] -> "%1" %* (File not found)

cplfile [cplopen] -> rundll32.exe shell32.dll,Control_RunDLL "%1",%* (Microsoft Corporation)

exefile [open] -> "%1" %* (File not found)

htafile [open] -> C:\WINDOWS\system32\mshta.exe "%1" %* (Microsoft Corporation)

htmlfile [edit] -> "C:\Program Files\Microsoft Office\Office10\msohtmed.exe" %1 (Microsoft Corporation)
htmlfile [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)
htmlfile [opennew] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)
htmlfile [print] -> rundll32.exe %SystemRoot%\system32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

http [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)

https [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" -nohome (Microsoft Corporation)

inffile [install] -> %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1 (Microsoft Corporation)
inffile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inffile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

inifile [open] -> %SystemRoot%\System32\NOTEPAD.EXE %1 (Microsoft Corporation)
inifile [print] -> %SystemRoot%\System32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

InternetShortcut [open] -> rundll32.exe shdocvw.dll,OpenURL "%l" (Microsoft Corporation)
InternetShortcut [print] -> rundll32.exe %SystemRoot%\System32\mshtml.dll,PrintHTML "%1" (Microsoft Corporation)

jsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

jsefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
jsefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
jsefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

piffile [open] -> "%1" %* (File not found)

regfile [edit] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
regfile [open] -> regedit.exe "%1" (Microsoft Corporation)
regfile [merge] -> Reg Data - Key not found
regfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)

scrfile [config] -> "%1" (File not found)
scrfile [install] -> rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -> "%1" /S (File not found)

txtfile [edit] -> Reg Data - Key not found
txtfile [open] -> %SystemRoot%\system32\NOTEPAD.EXE %1 (Microsoft Corporation)
txtfile [print] -> %SystemRoot%\system32\NOTEPAD.EXE /p %1 (Microsoft Corporation)
txtfile [printto] -> %SystemRoot%\system32\notepad.exe /pt "%1" "%2" "%3" "%4" (Microsoft Corporation)

vbefile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbefile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbefile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

vbsfile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
vbsfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
vbsfile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wsffile [edit] -> %SystemRoot%\System32\Notepad.exe %1 (Microsoft Corporation)
wsffile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)
wsffile [print] -> %SystemRoot%\System32\Notepad.exe /p %1 (Microsoft Corporation)

wshfile [open] -> %SystemRoot%\System32\WScript.exe "%1" %* (Microsoft Corporation)

Unknown [openas] -> %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1 (Microsoft Corporation)

Directory [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Folder [open] -> %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -> %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)

Drive [find] -> %SystemRoot%\Explorer.exe (Microsoft Corporation)

Applications\iexplore.exe [open] -> "C:\Program Files\Internet Explorer\iexplore.exe" "%1" (Microsoft Corporation)

CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -> "%programfiles%\internet explorer\iexplore.exe" (File not found)

ChibiBifu · June 2007

>>>>> ActiveX StubPath settings <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2179C5D3-EBFF-11CF-B6FD-00AA00B4E220}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}]
StubPath = %SystemRoot%\system32\regsvr32.exe /s /n /i:/UserInstall %SystemRoot%\system32\themeui.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{44BBA842-CC51-11CF-AAFA-00AA00B6015B}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{4b218e3e-bc98-4770-93d3-2731b9329278}]
StubPath = %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection MarketplaceLinkInstall 896 %systemroot%\inf\ie.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{5945c046-1e7d-11d1-bc44-00c04fd912be}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\msmsgs.inf,BLC.QuietInstall.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\wmp11.inf,PerUserStub

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{73FA19D0-2D75-11D2-995D-00C04F98BBC9}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{7790769C-0471-11d2-AF11-00C04FA35D02}]
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}]
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}]
StubPath = %SystemRoot%\system32\ie4uinit.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}]
StubPath = C:\WINDOWS\system32\Rundll32.exe C:\WINDOWS\system32\mscories.dll,Install

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{8b15971b-5355-4c82-8c07-7e181ea07608}]
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINDOWS\INF\fxsocm.inf,Fax.Install.PerUser

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{94de52c8-2d59-4f1b-883e-79663d2d9a8c}]
StubPath =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{22d6f312-b0f6-11d0-94ab-0080c74c7e95}]
StubPath = C:\WINDOWS\inf\unregmp2.exe /ShowWMP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigIE

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{60B49E34-C7CC-11D0-8953-00A0C90347FF}MICROS]
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}]
StubPath = %systemroot%\system32\shmgrate.exe OCInstallUserConfigOE

>>>>> TCP/IP Configuration <<<<<

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0DDAE76C-5EFC-45E9-8D1F-592EF2E54C8F}] ( Broadcom 440x 10/100 Integrated Controller )
DefaultGateway =
DhcpIPAddress = 192.168.1.47
DhcpServer = 192.168.1.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{BAE34688-EB7C-42EB-9F95-0362B03312B8}] ( Dell Wireless WLAN 1350 WLAN Mini-PCI Card )
DefaultGateway =
DhcpDefaultGateway = 192.168.1.1;
DhcpIPAddress = 192.168.1.47
DhcpNameServer = 192.168.1.1 192.168.1.1
DhcpServer = 192.168.1.1
DhcpSubnetMask = 255.255.255.0
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
IPAutoconfigurationAddress = 0.0.0.0
NameServer =
SubnetMask = 0.0.0.0;

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{CFFCFB17-B224-418E-89E9-E413CE095383}] ( 1394 Net Adapter )
DefaultGateway =
Domain =
EnableDHCP = 1
IPAddress = 0.0.0.0;
NameServer =
SubnetMask = 0.0.0.0;

>>>>> WinSock2 Parameters <<<<<

>>>>> Default Protocols [HKLM] <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProtocolDefaults]
@ivt - (Cannot locate Zone: 1)
file - (Cannot locate Zone: 3)
ftp - (Cannot locate Zone: 3)
http - (Cannot locate Zone: 3)
https - (Cannot locate Zone: 3)
shell - (Cannot locate Zone: 0)

>>>>> Protocol Handlers <<<<<

>>>>> Protocol Filters <<<<<

>>>>> Downloaded Program Files <<<<<

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{01012101-5E80-11D8-9E86-0007E96C65AE}\DownloadInformation]
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
INF = C:\WINDOWS\Downloaded Program Files\tgctlsr.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{01113300-3E00-11D2-8470-0060089874ED}\DownloadInformation]
CODEBASE = https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
INF = C:\WINDOWS\Downloaded Program Files\tgctlcm.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}\DownloadInformation]
CODEBASE = http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
INF = C:\WINDOWS\Downloaded Program Files\kavwebscan.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{17492023-C23A-453E-A040-C7C580BBF700}\DownloadInformation]
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204
INF = C:\WINDOWS\Downloaded Program Files\LegitCheckControl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{1F2F4C9E-6F09-47BC-970D-3C54734667FE}\DownloadInformation]
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
INF = C:\WINDOWS\Downloaded Program Files\LSSupCtl.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{4B48D5DF-9021-45F7-A240-60304302A215}\DownloadInformation]
CODEBASE = http://download.microsoft.com/download/b/d/b/bdb4e4ee-63b2-45ff-9d84-33205bf43143/WebCleaner.cab
INF = C:\WINDOWS\Downloaded Program Files\WebCleaner.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{5F8469B4-B055-49DD-83F7-62B522420ECC}\DownloadInformation]
CODEBASE = http://upload.facebook.com/controls/FacebookPhotoUploader.cab
INF = C:\WINDOWS\Downloaded Program Files\FacebookPhotoUploader.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{6E32070A-766D-4EE6-879C-DC1FA91D2FC3}\DownloadInformation]
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146318712046
INF = C:\WINDOWS\Downloaded Program Files\muweb.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{8AD9C840-044E-11D1-B3E9-00805F499D93}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{9A9307A0-7DA4-4DAF-B042-5009F29E09E1}\DownloadInformation]
CODEBASE = http://acs.pandasoftware.com/activescan/as5free/asinst.cab
INF = C:\WINDOWS\Downloaded Program Files\asinst.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{B38870E4-7ECB-40DA-8C6A-595F0A5519FF}\DownloadInformation]
CODEBASE = http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
INF = C:\WINDOWS\Downloaded Program Files\MsnMessengerSetupDownloader.inf

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.5.0/jinstall-1_5_0_11-windows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-0016-0000-0001-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA}\DownloadInformation]
CODEBASE = http://java.sun.com/update/1.6.0/jinstall-1_6_0_01-windows-i586.cab
INF =

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{CE28D5D2-60CF-4C7D-9FE8-0F47A3308078}\DownloadInformation]
CODEBASE = http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{D27CDB6E-AE6D-11CF-96B8-444553540000}\DownloadInformation]
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
INF = C:\WINDOWS\Downloaded Program Files\swflash.inf

ChibiBifu · June 2007

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Files / Folders Created Within 60 Days ｻｻｻｻｻｻｻｻｻｻｻｻｻ

C:\SDFix [Folder | Created Date = 6/5/2007 9:45:56 AM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Google [Folder | Created Date = 4/15/2007 5:08:21 PM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\DNA [Folder | Created Date = 5/14/2007 11:52:27 AM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\Google [Folder | Created Date = 4/20/2007 1:34:47 PM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\Mozilla [Folder | Created Date = 5/14/2007 12:02:18 PM | Attr = ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\DNA [Folder | Created Date = 5/14/2007 11:52:27 AM | Attr = ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\Google [Folder | Created Date = 4/20/2007 1:34:47 PM | Attr = ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\Mozilla [Folder | Created Date = 5/14/2007 12:02:18 PM | Attr = ]
C:\Documents and Settings\CHRIST~1\My Documents\Psychonalisis.doc [Ver = | Size = 26624 bytes | Created Date = 5/29/2007 10:31:26 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk [Ver = | Size = 706 bytes | Created Date = 5/14/2007 11:53:42 AM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Modzilla FireFox.lnk [Ver = | Size = 1602 bytes | Created Date = 5/14/2007 12:02:13 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\2007-04-01 [Folder | Created Date = 5/14/2007 11:57:55 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Alim's story [Folder | Created Date = 4/26/2007 6:41:51 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\ComboFix.exe [Ver = | Size = 1105326 bytes | Created Date = 6/5/2007 10:09:21 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\FixServices.bat [Ver = | Size = 59 bytes | Created Date = 6/5/2007 9:44:20 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\fsbl.exe F-Secure Corporation [Ver = 2, 2, 1061, 0 | Size = 899952 bytes | Created Date = 6/7/2007 1:47:25 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Logs [Folder | Created Date = 6/7/2007 5:52:36 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Resume.doc [Ver = | Size = 34816 bytes | Created Date = 5/21/2007 12:50:00 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Shirikye Revised [Folder | Created Date = 4/29/2007 7:42:46 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\The Three Kingdoms [Folder | Created Date = 4/19/2007 12:29:17 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\WinPFind [Folder | Created Date = 6/9/2007 2:13:43 PM | Attr = ]
C:\Program Files\Common Files\SupportSoft [Folder | Created Date = 5/12/2007 9:14:12 AM | Attr = ]
C:\WINDOWS\$NtUninstallKB927891$ [Folder | Created Date = 5/22/2007 1:24:18 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930178$ [Folder | Created Date = 4/11/2007 8:42:37 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB930916$ [Folder | Created Date = 5/10/2007 8:33:04 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931261$ [Folder | Created Date = 4/11/2007 8:42:44 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931768$ [Folder | Created Date = 5/10/2007 8:33:42 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB931784$ [Folder | Created Date = 4/11/2007 8:42:55 AM | Attr = H ]
C:\WINDOWS\$NtUninstallKB932168$ [Folder | Created Date = 4/11/2007 8:42:24 AM | Attr = H ]
C:\WINDOWS\catchme.exe [Ver = | Size = 87040 bytes | Created Date = 6/5/2007 10:15:31 AM | Attr = ]
C:\WINDOWS\erdnt [Folder | Created Date = 6/5/2007 10:11:47 AM | Attr = ]
C:\WINDOWS\mozver.dat [Ver = | Size = 1156 bytes | Created Date = 5/17/2007 10:56:01 AM | Attr = ]
C:\WINDOWS\nircmd.exe NirSoft [Ver = 1.85 | Size = 49152 bytes | Created Date = 6/5/2007 10:15:31 AM | Attr = ]
C:\WINDOWS\QTFont.for [Ver = | Size = 1409 bytes | Created Date = 6/8/2007 4:08:54 PM | Attr = ]
C:\WINDOWS\QTFont.qfn [Ver = | Size = 54156 bytes | Created Date = 6/8/2007 4:08:54 PM | Attr = H ]
C:\WINDOWS\temp [Folder | Created Date = 6/9/2007 2:12:55 PM | Attr = ]
C:\WINDOWS\System32\iqptn.exe [Ver = | Size = 99328 bytes | Created Date = 6/8/2007 3:56:26 PM | Attr = ]
C:\WINDOWS\System32\java.exe Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 4/15/2007 5:07:07 PM | Attr = ]
C:\WINDOWS\System32\javacpl.cpl Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 69632 bytes | Created Date = 4/15/2007 5:07:07 PM | Attr = ]
C:\WINDOWS\System32\javaw.exe Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 135168 bytes | Created Date = 4/15/2007 5:07:07 PM | Attr = ]
C:\WINDOWS\System32\javaws.exe Sun Microsystems, Inc. [Ver = 6.0.10.6 | Size = 139264 bytes | Created Date = 4/15/2007 5:07:07 PM | Attr = ]
C:\WINDOWS\System32\moveex.exe [Ver = | Size = 38400 bytes | Created Date = 6/5/2007 10:15:31 AM | Attr = ]
C:\WINDOWS\System32\swreg.exe SteelWerX [Ver = 2.0.1.6 | Size = 428032 bytes | Created Date = 6/5/2007 10:15:31 AM | Attr = ]
C:\WINDOWS\System32\swsc.exe SteelWerX [Ver = 2.0.0.0 | Size = 370688 bytes | Created Date = 6/5/2007 10:15:30 AM | Attr = ]
C:\WINDOWS\System32\swxcacls.exe SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 6/5/2007 10:15:30 AM | Attr = ]
C:\WINDOWS\System32\vfind.exe [Ver = | Size = 49152 bytes | Created Date = 6/5/2007 10:15:31 AM | Attr = ]

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ Files / Folders Modified Within 30 Days ｻｻｻｻｻｻｻｻｻｻｻｻｻ

C:\$VAULT$.AVG [Folder | Modified Date = 6/5/2007 11:20:38 AM | Attr = RH ]
C:\hiberfil.sys [Ver = | Size = 536113152 bytes | Modified Date = 6/9/2007 2:54:40 PM | Attr = HS]
C:\Program Files [Folder | Modified Date = 6/5/2007 11:11:10 AM | Attr = ]
C:\SDFix [Folder | Modified Date = 6/5/2007 10:46:08 AM | Attr = ]
C:\WINDOWS [Folder | Modified Date = 6/9/2007 3:12:56 PM | Attr = ]
C:\Documents and Settings\All Users\Application Data\Viewpoint [Folder | Modified Date = 5/13/2007 7:21:00 AM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\Adobe [Folder | Modified Date = 6/6/2007 8:57:22 PM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\AVG7 [Folder | Modified Date = 6/9/2007 2:54:58 PM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\BitTorrent [Folder | Modified Date = 5/16/2007 12:11:44 PM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\DNA [Folder | Modified Date = 6/9/2007 3:04:58 PM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\Mozilla [Folder | Modified Date = 5/14/2007 1:02:20 PM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\Viewpoint [Folder | Modified Date = 5/13/2007 7:21:00 AM | Attr = ]
C:\Documents and Settings\Christopher\Application Data\wklnhst.dat [Ver = | Size = 41494 bytes | Modified Date = 6/9/2007 8:42:42 AM | Attr = ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [Ver = | Size = 12800 bytes | Modified Date = 6/8/2007 5:15:30 PM | Attr = ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\DNA [Folder | Modified Date = 5/14/2007 12:52:28 PM | Attr = ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\IconCache.db [Ver = | Size = 4840890 bytes | Modified Date = 6/9/2007 8:49:32 AM | Attr = H ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\Microsoft [Folder | Modified Date = 5/12/2007 6:04:32 PM | Attr = ]
C:\Documents and Settings\Christopher\Local Settings\Application Data\Mozilla [Folder | Modified Date = 5/14/2007 1:02:20 PM | Attr = ]
C:\Documents and Settings\CHRIST~1\My Documents\AIMLogger [Folder | Modified Date = 5/17/2007 3:26:12 PM | Attr = ]
C:\Documents and Settings\CHRIST~1\My Documents\BitTorrent Downloads [Folder | Modified Date = 5/24/2007 7:20:56 PM | Attr = ]
C:\Documents and Settings\CHRIST~1\My Documents\My Pictures [Folder | Modified Date = 5/26/2007 3:22:06 PM | Attr = R ]
C:\Documents and Settings\CHRIST~1\My Documents\My Sharing Folders.lnk [Ver = | Size = 574 bytes | Modified Date = 6/9/2007 6:28:08 AM | Attr = ]
C:\Documents and Settings\CHRIST~1\My Documents\Psychonalisis.doc [Ver = | Size = 26624 bytes | Modified Date = 5/29/2007 11:31:28 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\BitTorrent.lnk [Ver = | Size = 706 bytes | Modified Date = 5/14/2007 12:53:44 PM | Attr = ]
C:\Documents and Settings\All Users\Desktop\Modzilla FireFox.lnk [Ver = | Size = 1602 bytes | Modified Date = 5/14/2007 1:02:14 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\2007-04-01 [Folder | Modified Date = 5/14/2007 12:57:56 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Alim's story [Folder | Modified Date = 5/14/2007 12:47:52 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Ancient times [Folder | Modified Date = 5/12/2007 3:01:34 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\College Work [Folder | Modified Date = 5/21/2007 1:50:12 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\ComboFix.exe [Ver = | Size = 1105326 bytes | Modified Date = 6/5/2007 11:09:24 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\FF Music [Folder | Modified Date = 6/7/2007 6:51:46 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\FixServices.bat [Ver = | Size = 59 bytes | Modified Date = 6/9/2007 3:07:50 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\fsbl.exe F-Secure Corporation [Ver = 2, 2, 1061, 0 | Size = 899952 bytes | Modified Date = 6/7/2007 2:47:34 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\High School Days [Folder | Modified Date = 6/9/2007 8:34:38 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\HJT [Folder | Modified Date = 6/9/2007 3:05:52 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Install programs [Folder | Modified Date = 6/9/2007 3:14:06 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Logs [Folder | Modified Date = 6/7/2007 8:27:08 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Music [Folder | Modified Date = 6/5/2007 8:44:28 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Pics [Folder | Modified Date = 6/8/2007 5:06:14 PM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Resume.doc [Ver = | Size = 34816 bytes | Modified Date = 5/31/2007 7:35:56 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Shirikye [Folder | Modified Date = 6/6/2007 10:16:32 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\Shirikye Revised [Folder | Modified Date = 6/7/2007 7:29:22 AM | Attr = ]
C:\Documents and Settings\Christopher\Desktop\WinPFind [Folder | Modified Date = 6/9/2007 3:13:44 PM | Attr = ]
C:\Program Files\Common Files\SupportSoft [Folder | Modified Date = 5/12/2007 10:14:14 AM | Attr = ]
C:\WINDOWS\$hf_mig$ [Folder | Modified Date = 5/22/2007 2:23:44 PM | Attr = H ]
C:\WINDOWS\$NtUninstallKB927891$ [Folder | Modified Date = 5/22/2007 2:24:20 PM | Attr = H ]
C:\WINDOWS\BOOTSTAT.DAT [Ver = | Size = 2048 bytes | Modified Date = 6/9/2007 2:54:42 PM | Attr = S]
C:\WINDOWS\catchme.exe [Ver = | Size = 87040 bytes | Modified Date = 5/28/2007 4:23:12 AM | Attr = ]
C:\WINDOWS\Downloaded Program Files [Folder | Modified Date = 5/13/2007 7:27:44 AM | Attr = S]
C:\WINDOWS\erdnt [Folder | Modified Date = 6/5/2007 11:11:48 AM | Attr = ]
C:\WINDOWS\Help [Folder | Modified Date = 5/22/2007 3:56:22 PM | Attr = ]
C:\WINDOWS\INF [Folder | Modified Date = 6/8/2007 8:03:14 AM | Attr = H ]
C:\WINDOWS\Installer [Folder | Modified Date = 6/6/2007 8:57:30 PM | Attr = HS]
C:\WINDOWS\mozver.dat [Ver = | Size = 1156 bytes | Modified Date = 5/17/2007 11:56:04 AM | Attr = ]
C:\WINDOWS\Prefetch [Folder | Modified Date = 6/9/2007 3:13:42 PM | Attr = ]
C:\WINDOWS\QTFont.for [Ver = | Size = 1409 bytes | Modified Date = 6/8/2007 5:08:56 PM | Attr = ]
C:\WINDOWS\QTFont.qfn [Ver = | Size = 54156 bytes | Modified Date = 6/8/2007 5:08:56 PM | Attr = H ]
C:\WINDOWS\SYSTEM32 [Folder | Modified Date = 6/9/2007 3:11:52 PM | Attr = ]
C:\WINDOWS\temp [Folder | Modified Date = 6/9/2007 3:12:56 PM | Attr = ]
C:\WINDOWS\Web [Folder | Modified Date = 5/29/2007 7:55:52 PM | Attr = R ]
C:\WINDOWS\System32\ActiveScan [Folder | Modified Date = 6/8/2007 8:03:18 AM | Attr = ]
C:\WINDOWS\System32\CatRoot [Folder | Modified Date = 5/12/2007 11:01:40 AM | Attr = ]
C:\WINDOWS\System32\CatRoot2 [Folder | Modified Date = 6/8/2007 8:03:12 AM | Attr = ]
C:\WINDOWS\System32\CONFIG [Folder | Modified Date = 6/5/2007 11:12:04 AM | Attr = ]
C:\WINDOWS\System32\DLLCACHE [Folder | Modified Date = 5/23/2007 6:02:28 AM | Attr = RHS]
C:\WINDOWS\System32\DRIVERS [Folder | Modified Date = 6/9/2007 3:09:08 PM | Attr = ]
C:\WINDOWS\System32\FxsTmp [Folder | Modified Date = 6/9/2007 8:42:44 AM | Attr = ]
C:\WINDOWS\System32\Help.ico [Ver = | Size = 1406 bytes | Modified Date = 6/8/2007 8:03:02 AM | Attr = ]
C:\WINDOWS\System32\iqptn.exe [Ver = | Size = 99328 bytes | Modified Date = 6/8/2007 4:56:28 PM | Attr = ]
C:\WINDOWS\System32\pavas.ico [Ver = | Size = 30590 bytes | Modified Date = 6/8/2007 8:03:02 AM | Attr = ]
C:\WINDOWS\System32\PERFC009.DAT [Ver = | Size = 59466 bytes | Modified Date = 6/5/2007 11:04:08 AM | Attr = ]
C:\WINDOWS\System32\PERFH009.DAT [Ver = | Size = 393836 bytes | Modified Date = 6/5/2007 11:04:08 AM | Attr = ]
C:\WINDOWS\System32\PerfStringBackup.INI [Ver = | Size = 460414 bytes | Modified Date = 6/5/2007 11:04:08 AM | Attr = ]
C:\WINDOWS\System32\Uninstall.ico [Ver = | Size = 2550 bytes | Modified Date = 6/8/2007 8:03:02 AM | Attr = ]
C:\WINDOWS\System32\WPA.DBL [Ver = | Size = 1170 bytes | Modified Date = 6/9/2007 2:54:58 PM | Attr = ]
C:\WINDOWS\System32\drivers\avg7core.sys GRISOFT, s.r.o. [Ver = 7.5.0.467 | Size = 777984 bytes | Modified Date = 5/15/2007 8:56:06 AM | Attr = ]
C:\WINDOWS\System32\drivers\ETC [Folder | Modified Date = 6/7/2007 2:38:06 PM | Attr = ]

ｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻｻ File String Scan (Non-Microsoft Only) ｻｻｻｻｻ
[PEC2 , ]C:\Documents and Settings\CHRIST~1\My Documents\downloadable_install_wizard.exe (Comcast Cable Communications, LLC )
@Alternate Data Stream - C:\Documents and Settings\Christopher\Desktop\ATF-Cleaner.exe:Zone.Identifier (26 bytes)
[UPX! , UPX0 , ]C:\Documents and Settings\Christopher\Desktop\ATF-Cleaner.exe (Atribune.org)
[UPX! , UPX0 , ]C:\Documents and Settings\Christopher\Desktop\ComboFix.exe ()
[UPX! , UPX0 , ]C:\WINDOWS\System32\cpuinf32.dll ()
[PEC2 , ]C:\WINDOWS\System32\DFRG.MSC ()
[PEC2 , PECompact2 , ]C:\WINDOWS\System32\DivX.dll (DivXNetworks, Inc.)
[winsync , ]C:\WINDOWS\System32\WBDBASE.DEU ()
[Thawte Consulting , ]C:\WINDOWS\System32\XceedFtp.dll (Xceed Software Inc (450) 442-2626 support@xceedsoft.com www.xceedsoft.com)
[UPX0 , WSUD , ]C:\WINDOWS\System32\dllcache\hwxjpn.dll ()
[PTech , ]C:\WINDOWS\System32\dllcache\mtlstrm.sys (Smart Link)
[aspack , FSG! , PEC2 , UPX! , ]C:\WINDOWS\System32\drivers\avg7core.sys (GRISOFT, s.r.o.)
[PTech , ]C:\WINDOWS\System32\drivers\mtlstrm.sys (Smart Link)

< End of report >

peku006 · June 2007

Hi ChibiBifu
Logs, looks good but let's run one online scan to be sure:

Please do the following...

step 1
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O4 - HKLM\..\RunServices: [iqptn] C:\WINDOWS\system32\iqptn.exe

Close ALL open windows
Click Fix Checked
Close HijackThis

step 2
Please Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\iqptn.exe

Registry::
[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\runservices]
"iqptn"=-

Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot),

step 3
Please do an online scan with Kaspersky Online Scanner.You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

step 4
Open HijackThis
- Click the Do a system scan and save a log file button

step 5
Please, post these logs:
Kaspersky online scan Report
combofix.log
hjt-log

ChibiBifu · June 2007

For some reason once again, I was unable to get through to the online site you posted. After clicking on the link, it takes me to a page that asks if I agree or disagree on a policy but goes no further after clicking agree.

As for the logs,

Logfile of HijackThis v1.99.1
Scan saved at 2:51:03 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\WINDOWS\web\aolspy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\BitTorrent_DNA\dna.exe
C:\Program Files\Impulse\PolicyKey.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\Christopher\Desktop\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [HydraVisionDesktopManager] C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe
O4 - HKLM\..\Run: [tgcmd] C:\Program Files\Support.com\bin\tgcmd.exe /server /startmonitor /deaf
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: PolicyKey.lnk = C:\Program Files\Impulse\PolicyKey.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 3.0\resources\en-US\local\search.html
O8 - Extra context menu item: Open Client to monitor &1 - C:\WINDOWS\web\AOpenClient.htm
O8 - Extra context menu item: Open Client to monitor &2 - C:\WINDOWS\web\AOpenClient.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01012101-5E80-11D8-9E86-0007E96C65AE} (SupportSoft Script Runner Class) - http://www.symantec.com/techsupp/asa/ctrl/tgctlsr.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec.com/techsupp/asa/ctrl/LSSupCtl.cab
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1146318712046
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: AOL Anti-Spyware Service (AOL_SpywareServ) - Unknown owner - C:\WINDOWS\web\aolspy.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

"Christopher" - 2007-06-11 14:43:53 Service Pack 2 NTFS
Command switches used :: ""C:\Documents and Settings\Christopher\Desktop\ComboFix-Do.txt""

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\iqptn.exe

((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))

2007-06-10 14:07 <DIR> d

C:\Program Files\Common Files\Blizzard Entertainment
2007-06-10 13:57 <DIR> d

C:\Program Files\World of Warcraft
2007-06-05 11:15 49,152 --a

C:\WINDOWS\nircmd.exe
2007-05-17 11:56 1,156 --a

C:\WINDOWS\mozver.dat
2007-05-14 12:52 <DIR> d

C:\Program Files\BitTorrent_DNA
2007-05-14 12:52 <DIR> d

C:\DOCUME~1\CHRIST~1\APPLIC~1\DNA
2007-05-12 16:27 439,296 --a

C:\DOCUME~1\CHRIST~1\GoToAssist_phone__317_en.exe
2007-05-12 10:14 <DIR> d

C:\Program Files\Common Files\SupportSoft

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-11 13:25:53 41,494 ----a-w C:\DOCUME~1\CHRIST~1\APPLIC~1\wklnhst.dat
2007-06-07 10:56:48

d

w C:\Program Files\Microsoft AntiSpyware
2007-05-16 16:11:43

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\BitTorrent
2007-05-14 16:53:37

d

w C:\Program Files\BitTorrent
2007-05-13 11:20:59

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Viewpoint
2007-05-11 01:33:31

d

w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-04-30 21:02:19

d

w C:\Program Files\Google
2007-04-20 18:34:47

d

w C:\DOCUME~1\CHRIST~1\APPLIC~1\Google
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2002-08-29 10:00:00 520,192 -csha-w C:\WINDOWS\RegisteredPackages\{DD90D410-1823-43EB-9A16-A2331BF08799}$BACKUP$\System\wmplayer.exe
2005-05-13 17:40:10 56 -csh--r C:\WINDOWS\SYSTEM32\F1EF70BCD8.sys
2005-05-13 17:40:10 1,890 -csha-w C:\WINDOWS\SYSTEM32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-03-02 13:02]
{53707962-6F74-2D53-2644-206D7942484F}=C:\Program Files\Spybot - Search & Destroy\SDHelper.dll [2005-05-31 01:04]
{5CA3D70E-1895-11CF-8E15-001234567890}=C:\WINDOWS\system32\dla\tfswshx.dll [2004-03-15 02:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9}=C:\Program Files\AOL\AOL Toolbar 3.0\aoltb.dll [2005-11-30 14:17]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar2.dll [2007-04-30 16:20]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HydraVisionDesktopManager"="C:\Program Files\ATI Technologies\ATI HYDRAVISION\HydraDM.exe" [2003-09-15 21:00]
"tgcmd"="C:\Program Files\Support.com\bin\tgcmd.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2004-08-06 14:24]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-21 08:47]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BitTorrent"="C:\Program Files\BitTorrent\bittorrent.exe" [2007-03-01 19:11]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-04-30 16:20]
"DNA"="C:\Program Files\BitTorrent_DNA\dna.exe" [2007-05-14 12:52]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2006-11-07 11:29]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{9EF34FF2-3396-4527-9D27-04C8C1C67806}"="C:\Program Files\Microsoft AntiSpyware\shellextension.dll" [2005-11-15 13:12]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 10:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 14:47:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-11 14:48:34
C:\ComboFix-quarantined-files.txt ... 2007-06-11 14:48
C:\ComboFix2.txt ... 2007-06-09 15:12
C:\ComboFix3.txt ... 2007-06-07 14:30

--- E O F ---

One more question I had was ever since I started posting here, almost every program I was asked to download and install, I kept in the end. Would it have been better to have deleted them from the computer after using them?

I want to thank you again for checking out my PC's problems.

peku006 · June 2007

Hi ChibiBifu

Would it have been better to have deleted them from the computer after using them? Yes

Please do the following...

step 1
Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no fil
Close ALL open windows
Click Fix Checked
Close HijackThis

step 2
Download Dr.Web CureIt to the desktop:
Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, Click Options > Change settings
Choose the "Scan"-tab, remove the mark at "Heuristic analysis".
Back at the main window, mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found:

If so, click it and then click the next icon right below and select Move incurable as you'll see in next image:

This will move it to the %userprofile%\DoctorWeb\quarantaine-folder if it can't be cured. (this in case if we need samples)
After selecting, in the Dr.Web CureIt menu on top, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot your computer!! Because it could be possible that files in use will be moved/deleted during reboot.
After reboot, post the contents of the log from Dr.Web you saved previously in your next reply

step 3
Please, post
DrWeb.csv

ChibiBifu · June 2007

Hi. Sorry for the wait.

Since I didn't have a program to open the file that Dr.Web produced, I opened it with Internet Explorer and this was all that came up.

WxBug.EXE;C:\Program Files\AIM\Sysfiles;Adware.Aws;Incurable.Moved.;
Process.exe;C:\SDFix\SDFix\apps;Tool.Prockill;Incurable.Moved.;

Is that okay?

peku006 · June 2007

Hi ChibiBifu
Looks good...are you having any problems with your system?
Don't worry
Process.exe is a SDFix.Tool. and WxBug.EXE is a component of AOL Messenger.
You have a program called Bittorrent installed....It's your choice if you want to use P2P filesharing programs, but be aware that they can be a significant cause of malware intrusion to your system.

Please do the following...

Open HijackThis
- Click the Do a system scan only button
- Check the following entries (below)

O2 - BHO: (no name) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - (no file)
You can fix these (blue lines) with HijackThis, if you want. This could to speed up to your computer starting.
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\G oogleToolbarNotifier.exe
O4 - HKCU\..\Run: [DNA] "C:\Program Files\BitTorrent_DNA\dna.exe"
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE

Close ALL open windows
Click Fix Checked
Close HijackThis

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
Watch what you download!
Many freeware programs, and P2P programs like Grokster, Imesh, Kazaa and others are amongst the most notorious, come with an enormous amount of bundled spyware that will eat system resources, slow down your system, clash with other installed software, or just plain crash your browser or even Windows itself. If you insist on using a P2P program, please read This Article written by Mike Healan of Spywareinfo.com fame. It is an updated and comprehensive article that gives in-depth detail about which P2P programs are "safe" to use.
Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.
IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klei
Happy surfing and stay clean!

ChibiBifu · June 2007

Hi,

I don't know how I missed this thread for so long. I must have missed the e-mail that informed me of a reply.

Everything is going good. Thank you for all of your help and time.

Repeating Virus

Comments